Quantifying risk based on relationships and applying protections based on business rules

US 8,875,229 B2
Filed: 12/21/2012
Issued: 10/28/2014
Est. Priority Date: 12/21/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a request to access a virtual private network (VPN) from a user, the request including a user identification;

receiving metadata of the request to access the VPN, the metadata including;

confirmation of the user identification by an entity physically proximate the user, the entity physically proximate to the user including a coworker of the user, anda VPN tunnel endpoint;

querying a database with the user identification and the metadata to identify relationship data, the relationship data indicating a relationship between an individual assigned the user identification and the VPN, wherein the relationship data includes a degree of risk of compromise;

inputting the relationship data into a rules engine; and

selecting at least one security measure with the rules engine based on the relationship data, wherein said selecting of the at least one security measure includes;

selecting a greater security measure the farther the relationship between the individual assigned the user identification and the VPN, andselecting a lesser security measure the closer the relationship between the individual assigned the user identification and the VPN.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An embodiment of the invention provides a method for controlling access to a system, wherein a request to access the system and metadata of the request are received from a user, the request including a user identification. The metadata includes: information obtained from a history of prior accesses to an application access system, information obtained from a history of prior accesses to a wireless authentication system, and/or confirmation of the user identification by an entity physically proximate to the user. A database is queried with the user identification and the metadata to identify relationship data. The relationship data indicates the relationship between the individual assigned the user identification and an entity owning the system, an entity leasing the system, and/or an entity operating the system. The relationship data is input into a rules engine; and, security measure(s) are selected with the rules engine based on the relationship data.

13 Citations

View as Search Results

25 Claims

1. A method comprising:
- receiving a request to access a virtual private network (VPN) from a user, the request including a user identification;
  
  receiving metadata of the request to access the VPN, the metadata including;
  
  confirmation of the user identification by an entity physically proximate the user, the entity physically proximate to the user including a coworker of the user, anda VPN tunnel endpoint;
  
  querying a database with the user identification and the metadata to identify relationship data, the relationship data indicating a relationship between an individual assigned the user identification and the VPN, wherein the relationship data includes a degree of risk of compromise;
  
  inputting the relationship data into a rules engine; and
  
  selecting at least one security measure with the rules engine based on the relationship data, wherein said selecting of the at least one security measure includes;
  
  selecting a greater security measure the farther the relationship between the individual assigned the user identification and the VPN, andselecting a lesser security measure the closer the relationship between the individual assigned the user identification and the VPN.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein the metadata includes information obtained from a history of prior accesses to an application access system.
  - 3. The method according to claim 2, wherein the history of prior accesses to the application access system includes:
    - a quantity of prior accesses to the application access system;
      
      a frequency of prior accesses to the application access system;
      
      a physical location of prior accesses to the application access system;
      
      a logical location of prior accesses to the application access system; and
      
      at least one identifier of a device accessing the VPN.
  - 4. The method according to claim 1, wherein the metadata includes information obtained from a history of prior accesses to a local or remote, wired or wireless authentication system.
  - 5. The method according to claim 4, wherein the history of prior accesses to the local or remote, wired or wireless authentication system includes:
    - a quantity of prior accesses to the local or remote, wired or wireless authentication system;
      
      a frequency of prior accesses to the local or remote, wired or wireless authentication system;
      
      a physical location of prior accesses to the local or remote, wired or wireless authentication system; and
      
      a logical location of prior accesses to the local or remote, wired or wireless authentication system.
  - 6. The method according to claim 1, wherein the metadata includes confirmation of the user identification by an entity physically proximate the user.
  - 7. The method according to claim 1, wherein the relationship data indicates a relationship between the individual assigned the user identification and an entity owning the VPN, an entity leasing the VPN, and an entity operating the VPN.
  - 8. The method according to claim 1, wherein the relationship data includes at least one of a manager, an immediate manager, a manager in a management chain, a manager outside of the management chain, an employee, an employee in a select department, an employee outside of the select department, an employee in the management chain, an employee outside of the management chain, an employee within a select business unit, an employee within a physical location, an employee with select job title, an employee with a select job role, and an employee with a select job responsibility.
  - 9. The method according to claim 1, wherein the security measure includes:
    - requiring the user to answer at least one security question;
      
      requiring the user to provide at least one security credential;
      
      sending of at least one alert;
      
      requiring at least one authorization from another entity;
      
      querying a device at the requesting endpoint for at least one device attribute; and
      
      querying the device at the requesting endpoint for device identification.

10. A method for controlling access to a virtual private network (VPN), said method comprising:
- receiving a request to access the VPN from a user, the request including a user identification;
  
  receiving metadata of the request to access the VPN, the metadata including;
  
  information obtained from a history of prior accesses to an application access system,information obtained from a history of prior accesses to a wireless authentication system,confirmation of the user identification by an entity physically proximate to the user, the entity physically proximate to the user including a coworker of the user, anda VPN tunnel endpoint;
  
  querying a database with the user identification and the metadata to identify relationship data, the relationship data indicating a relationship between an individual assigned the user identification and the VPN, wherein the relationship data includes a degree of risk of compromise;
  
  inputting the relationship data into a rules engine; and
  
  selecting at least one security measure with the rules engine based on the relationship data, wherein said selecting of the at least one security measure includes;
  
  selecting a greater security measure the farther the relationship between the individual assigned the user identification and the VPN, andselecting a lesser security measure the closer the relationship between the individual assigned the user identification and the VPN.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method according to claim 10, wherein the history of prior accesses to the application access system includes:
    - a quantity of prior accesses to the application access system;
      
      a frequency of prior accesses to the application access system;
      
      a physical location of prior accesses to the application access system; and
      
      a logical location of prior accesses to the application access system.
  - 12. The method according to claim 10, wherein the history of prior accesses to the wireless authentication system includes:
    - a quantity of prior accesses to the wireless authentication system;
      
      a frequency of prior accesses to the wireless authentication system;
      
      a physical location of prior accesses to the wireless authentication system; and
      
      a logical location of prior accesses to the wireless authentication system.
  - 13. The method according to claim 10, wherein the relationship data includes at least one of a manager, an immediate manager, a manager in a management chain, a manager outside of the management chain, an employee, an employee in a select department, an employee outside of the select department, an employee in the management chain, an employee outside of the management chain, an employee within a select business unit, an employee within a physical location, and an employee with select job title.
  - 14. The method according to claim 10, wherein the security measure includes at least one of:
    - requiring the user to answer at least one security question;
      
      requiring the user to provide at least one security credential;
      
      sending of at least one alert;
      
      requiring at least one authorization from another entity;
      
      querying a device at the requesting endpoint for at least one device attribute; and
      
      querying the device at the requesting endpoint for device identification.

15. A method for controlling access to a virtual private network (VPN), said method comprising:
- receiving a request to access the VPN from a user, the request including a user identification;
  
  receiving metadata of the request to access the VPN, the metadata including at least one of;
  
  information obtained from a history of prior accesses to an application access system,information obtained from a history of prior accesses to a wireless authentication system, andconfirmation of the user identification by an entity physically proximate the user, the entity physically proximate to the user including a coworker of the user, anda VPN tunnel endpoint;
  
  querying a database with the user identification and the metadata to identify relationship data, the relationship data indicating a relationship between the individual assigned the user identification and an entity owning the VPN, an entity leasing the VPN, and an entity operating the VPN, wherein the relationship data includes a degree of risk of compromise;
  
  inputting the relationship data into a rules engine; and
  
  selecting at least one security measure with the rules engine based on the relationship data, wherein said selecting of the at least one security measure includes;
  
  selecting a greater security measure the farther the relationship between the individual assigned the user identification and the VPN, andselecting a lesser security measure the closer the relationship between the individual assigned the user identification and the VPN.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method according to claim 15, wherein the history of prior accesses to the application access system includes at least one of:
    - a quantity of prior accesses to the application access system;
      
      a frequency of prior accesses to the application access system;
      
      a physical location of prior accesses to the application access system; and
      
      a logical location of prior accesses to the application access system.
  - 17. The method according to claim 15, wherein the history of prior accesses to the wireless authentication system includes at least one of:
    - a quantity of prior accesses to the wireless authentication system;
      
      a frequency of prior accesses to the wireless authentication system;
      
      a physical location of prior accesses to the wireless authentication system; and
      
      a logical location of prior accesses to the wireless authentication system.
  - 18. The method according to claim 15, wherein the relationship data includes at least one of a manager, an immediate manager, a manager in a management chain, a manager outside of the management chain, an employee, an employee in a select department, an employee outside of the select department, an employee in the management chain, an employee outside of the management chain, an employee within a select business unit, an employee within a physical location, and an employee with select job title.
  - 19. The method according to claim 15, wherein the security measure includes at least one of:
    - requiring the user to answer at least one security question;
      
      requiring the user to provide at least one security credential;
      
      sending of at least one alert;
      
      requiring at least one approval from another entity;
      
      querying a device at the requesting endpoint for at least one device attribute; and
      
      querying the device at the requesting endpoint for device identification.

20. A method for controlling access to a virtual private network (VPN), said method comprising:
- receiving a request to access the VPN from a user, the request including a user identification;
  
  receiving metadata of the request to access the VPN, the metadata including;
  
  information obtained from a history of prior accesses to an application access system,information obtained from a history of prior accesses to a wireless authentication system, andconfirmation of the user identification by an entity physically proximate the user, the entity physically proximate to the user including a coworker of the user, anda VPN tunnel endpoint;
  
  querying a database with the user identification and the metadata to identify relationship data, the relationship data indicating a relationship between an individual assigned the user identification and the VPN, wherein the relationship data includes a degree of risk of compromise;
  
  inputting the relationship data into a rules engine; and
  
  selecting at least one security measure with the rules engine based on the relationship data, wherein said selecting of the at least one security measure includes;
  
  selecting a greater security measure the farther the relationship between the individual assigned the user identification and the VPN, andselecting a lesser security measure the closer the relationship between the individual assigned the user identification and the VPN.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The method according to claim 20, wherein the history of prior accesses to the application access system includes:
    - a quantity of prior accesses to the application access system;
      
      a frequency of prior accesses to the application access system;
      
      a physical location of prior accesses to the application access system; and
      
      a logical location of prior accesses to the application access system.
  - 22. The method according to claim 20, wherein the history of prior accesses to the wireless authentication system includes:
    - a quantity of prior accesses to the wireless authentication system;
      
      a frequency of prior accesses to the wireless authentication system;
      
      a physical location of prior accesses to the wireless authentication system; and
      
      a logical location of prior accesses to the wireless authentication system.
  - 23. The method according to claim 20, wherein the relationship data includes at least one of a manager, an immediate manager, a manager in a management chain, a manager outside of the management chain, an employee, an employee in a select department, an employee outside of the select department, an employee in the management chain, an employee outside of the management chain, an employee within a select business unit, an employee within a physical location, and an employee with select job title.
  - 24. The method according to claim 20, wherein the security measure includes:
    - requiring the user to answer at least one security question;
      
      requiring the user to provide at least one security credential;
      
      sending of at least one alert;
      
      requiring at least one approval from another entity;
      
      querying a device at the requesting endpoint for at least one device attribute; and
      
      querying the device at the requesting endpoint for device identification.
  - 25. The method according to claim 20, wherein the relationship data indicates a relationship between the individual assigned the user identification and at least one of an entity owning the VPN, an entity leasing the VPN, and an entity operating the VPN.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hoyos, Carlos, Lingafelt, Charles Steven
Primary Examiner(s)
HENNING, MATTHEW T

Application Number

US13/725,225
Publication Number

US 20140181890A1
Time in Patent Office

676 Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/30   Authentication, i.e. establ...

G06F 21/31   User authentication

G06F 21/604   Tools and structures for ma...

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 63/0272   Virtual private networks

H04L 63/0823   using certificates cryptogr...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/107   wherein the security polici...

H04W 12/069   using certificates or pre-s...

H04W 12/08   Access security

Quantifying risk based on relationships and applying protections based on business rules

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Quantifying risk based on relationships and applying protections based on business rules

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others