Dynamic optimizing scanner for identity and access management (IAM) compliance verification

US 9,600,666 B1
Filed: 12/03/2015
Issued: 03/21/2017
Est. Priority Date: 12/03/2015
Status: Active Grant

First Claim

Patent Images

1. A method to facilitate detection of security vulnerabilities in accounts provisioned in an identity and access management (IAM) system, comprising:

determining types of data supported by a set of data sources;

based on the types of data supported by the set of data sources, determining a set of vulnerability detection strategies to apply to detect the security vulnerabilities;

based on the set of vulnerability detection strategies, collecting data from the data sources, wherein during data collection a given data source of the set of data sources is invoked just once to collect data for all of the set of vulnerability detection strategies, the given data source being instructed to collect only the types of data required by the set of vulnerability detection strategies determined; and

based on the data collected, executing the set of vulnerability detection strategies.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An identity and access management (IAM) system is associated with a set of data sources from which data is collected. A set of vulnerabilities that the IAM system should attempt to detect is identified. For each vulnerability to be detected, a prioritized list of strategies used to detect that vulnerability is generated. Preferably, each strategy specifies the type(s) of data required to detect that vulnerability. An algorithm to determine a best strategy to be used for detecting each vulnerability, preferably based on the data available from the data sources, is then identified. The IAM system then collects data in an optimized manner. In particular, during the collection process, the IAM system preferably collects only what is necessary based on the configuration, even if the data source is capable of providing additional data. The collected data is then processed to detect security vulnerabilities associated with the IAM accounts.

Citations

17 Claims

1. A method to facilitate detection of security vulnerabilities in accounts provisioned in an identity and access management (IAM) system, comprising:
- determining types of data supported by a set of data sources;
  
  based on the types of data supported by the set of data sources, determining a set of vulnerability detection strategies to apply to detect the security vulnerabilities;
  
  based on the set of vulnerability detection strategies, collecting data from the data sources, wherein during data collection a given data source of the set of data sources is invoked just once to collect data for all of the set of vulnerability detection strategies, the given data source being instructed to collect only the types of data required by the set of vulnerability detection strategies determined; and
  
  based on the data collected, executing the set of vulnerability detection strategies.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method as described in claim 1 wherein first and second data sources of the set of data sources provide distinct types of data from one another.
  - 3. The method as described in claim 1 wherein the types of data include one of:
    - live data, static data, and a combination of live and static data.
  - 4. The method as described in claim 1 wherein determining a set of vulnerability detection strategies determines a strategy for vulnerability detection that, relative to at least one other strategy for vulnerability detection, is optimized based on the types of data supported by the set of data sources.
  - 5. The method as described in claim 1 wherein determining a set of vulnerability detection strategies determines a strategy for vulnerability detection that, relative to at least one other strategy for vulnerability detection, is optimized based on an operating environment in which the security vulnerabilities are to be detected.

6. An apparatus, comprising:
- a processor;
  
  computer memory holding computer program instructions executed by the processor to facilitate detection of security vulnerabilities in accounts provisioned in an identity and access management (IAM) system, the computer program instructions operative to;
  
  determine types of data supported by a set of data sources;
  
  based on the types of data supported by the set of data sources, determine a set of vulnerability detection strategies to apply to detect the security vulnerabilities;
  
  based on the set of vulnerability detection strategies, collect data from the data sources, wherein during data collection a given data source of the set of data sources is invoked just once to collect data for all of the set of vulnerability detection strategies, the given data source being instructed to collect only the types of data required by the set of vulnerability detection strategies determined; and
  
  based on the data collected, execute the set of vulnerability detection strategies.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The apparatus as described in claim 6 wherein first and second data sources of the set of data sources provide distinct types of data from one another.
  - 8. The apparatus as described in claim 6 wherein the types of data include one of:
    - live data, static data, and a combination of live and static data.
  - 9. The apparatus as described in claim 6 wherein the computer program instructions that determine a set of vulnerability detection strategies determine a strategy for vulnerability detection that, relative to at least one other strategy for vulnerability detection, is optimized based on the types of data supported by the set of data sources.
  - 10. The apparatus as described in claim 6 wherein the computer program instructions that determine a set of vulnerability detection strategies determine a strategy for vulnerability detection that, relative to at least one other strategy for vulnerability detection, is optimized based on an operating environment in which the security vulnerabilities are to be detected.

11. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions which, when executed by the data processing system, facilitate detection of security vulnerabilities in accounts provisioned in an identity and access management (IAM) system, the computer program instructions operative to:
- determine types of data supported by a set of data sources;
  
  based on the types of data supported by the set of data sources, determine a set of vulnerability detection strategies to apply to detect the security vulnerabilities;
  
  based on the set of vulnerability detection strategies, collect data from the data sources, wherein during data collection a given data source of the set of data sources is invoked just once to collect data for all of the set of vulnerability detection strategies, the given data source being instructed to collect only the types of data required by the set of vulnerability detection strategies determined; and
  
  based on the data collected, execute the set of vulnerability detection strategies.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer program product as described in claim 11 wherein first and second data sources of the set of data sources provide distinct types of data from one another.
  - 13. The computer program product as described in claim 11 wherein the types of data include one of:
    - live data, static data, and a combination of live and static data.
  - 14. The computer program product as described in claim 11 wherein the computer program instructions that determine a set of vulnerability detection strategies determine a strategy for vulnerability detection that, relative to at least one other strategy for vulnerability detection, is optimized based on the types of data supported by the set of data sources.
  - 15. The computer program product as described in claim 11 wherein the computer program instructions that determine a set of vulnerability detection strategies determine a strategy for vulnerability detection that, relative to at least one other strategy for vulnerability detection, is optimized based on an operating environment in which the security vulnerabilities are to be detected.

16. An identity and access management system, comprising:
- a set of data sources; and
  
  a vulnerability scanner; and
  
  computer program instructions stored in computer memory and executed by one or more hardware processors to;
  
  determine types of data supported by a set of data sources;
  
  based on the types of data supported by the set of data sources, determine a set of vulnerability detection strategies to apply to detect the security vulnerabilities;
  
  based on the set of vulnerability detection strategies, collect data from the data sources, wherein during data collection a given data source of the set of data sources is invoked just once to collect data for all of the set of vulnerability detection strategies, the given data source being instructed to collect only the types of data required by the set of vulnerability detection strategies determined; and
  
  based on the data collected, instruct the vulnerability scanner to execute the set of vulnerability detection strategies.
- View Dependent Claims (17)
- - 17. The identity and access management system as described in claim 16 wherein the set of vulnerability detection strategies determined includes a strategy for vulnerability detection that, relative to at least one other strategy for vulnerability detection, is optimized based on an operating environment in which the security vulnerabilities are to be detected.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Harter, John Leslie, Palmieri, David Walsh, Robke, Jeffrey Tobias
Primary Examiner(s)
HOFFMAN, BRANDON S

Application Number

US14/957,974
Time in Patent Office

474 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

Dynamic optimizing scanner for identity and access management (IAM) compliance verification

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic optimizing scanner for identity and access management (IAM) compliance verification

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links