Dynamic optimizing scanner for identity and access management (IAM) compliance verification
First Claim
1. A method to facilitate detection of security vulnerabilities in accounts provisioned in an identity and access management (IAM) system, comprising:
- determining types of data supported by a set of data sources;
based on the types of data supported by the set of data sources, determining a set of vulnerability detection strategies to apply to detect the security vulnerabilities;
based on the set of vulnerability detection strategies, collecting data from the data sources, wherein during data collection a given data source of the set of data sources is invoked just once to collect data for all of the set of vulnerability detection strategies, the given data source being instructed to collect only the types of data required by the set of vulnerability detection strategies determined; and
based on the data collected, executing the set of vulnerability detection strategies.
1 Assignment
0 Petitions
Accused Products
Abstract
An identity and access management (IAM) system is associated with a set of data sources from which data is collected. A set of vulnerabilities that the IAM system should attempt to detect is identified. For each vulnerability to be detected, a prioritized list of strategies used to detect that vulnerability is generated. Preferably, each strategy specifies the type(s) of data required to detect that vulnerability. An algorithm to determine a best strategy to be used for detecting each vulnerability, preferably based on the data available from the data sources, is then identified. The IAM system then collects data in an optimized manner. In particular, during the collection process, the IAM system preferably collects only what is necessary based on the configuration, even if the data source is capable of providing additional data. The collected data is then processed to detect security vulnerabilities associated with the IAM accounts.
-
Citations
17 Claims
-
1. A method to facilitate detection of security vulnerabilities in accounts provisioned in an identity and access management (IAM) system, comprising:
-
determining types of data supported by a set of data sources; based on the types of data supported by the set of data sources, determining a set of vulnerability detection strategies to apply to detect the security vulnerabilities; based on the set of vulnerability detection strategies, collecting data from the data sources, wherein during data collection a given data source of the set of data sources is invoked just once to collect data for all of the set of vulnerability detection strategies, the given data source being instructed to collect only the types of data required by the set of vulnerability detection strategies determined; and based on the data collected, executing the set of vulnerability detection strategies. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An apparatus, comprising:
-
a processor; computer memory holding computer program instructions executed by the processor to facilitate detection of security vulnerabilities in accounts provisioned in an identity and access management (IAM) system, the computer program instructions operative to; determine types of data supported by a set of data sources; based on the types of data supported by the set of data sources, determine a set of vulnerability detection strategies to apply to detect the security vulnerabilities; based on the set of vulnerability detection strategies, collect data from the data sources, wherein during data collection a given data source of the set of data sources is invoked just once to collect data for all of the set of vulnerability detection strategies, the given data source being instructed to collect only the types of data required by the set of vulnerability detection strategies determined; and based on the data collected, execute the set of vulnerability detection strategies. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions which, when executed by the data processing system, facilitate detection of security vulnerabilities in accounts provisioned in an identity and access management (IAM) system, the computer program instructions operative to:
-
determine types of data supported by a set of data sources; based on the types of data supported by the set of data sources, determine a set of vulnerability detection strategies to apply to detect the security vulnerabilities; based on the set of vulnerability detection strategies, collect data from the data sources, wherein during data collection a given data source of the set of data sources is invoked just once to collect data for all of the set of vulnerability detection strategies, the given data source being instructed to collect only the types of data required by the set of vulnerability detection strategies determined; and based on the data collected, execute the set of vulnerability detection strategies. - View Dependent Claims (12, 13, 14, 15)
-
-
16. An identity and access management system, comprising:
-
a set of data sources; and a vulnerability scanner; and computer program instructions stored in computer memory and executed by one or more hardware processors to; determine types of data supported by a set of data sources; based on the types of data supported by the set of data sources, determine a set of vulnerability detection strategies to apply to detect the security vulnerabilities; based on the set of vulnerability detection strategies, collect data from the data sources, wherein during data collection a given data source of the set of data sources is invoked just once to collect data for all of the set of vulnerability detection strategies, the given data source being instructed to collect only the types of data required by the set of vulnerability detection strategies determined; and based on the data collected, instruct the vulnerability scanner to execute the set of vulnerability detection strategies. - View Dependent Claims (17)
-
Specification