Threat-aware provisioning and governance
First Claim
Patent Images
1. A method for managing a provisioned-resource, wherein the provisioned-resource is included in a computing system, wherein an end-user device is configured for use by an end-user to access the provisioned-resource, and wherein the method comprises:
- forming a device risk vector for the end-user device, the device risk vector including at least one device risk attribute, wherein the at least one device risk attribute is an attribute of the end-user device, is included in a device compliance status associated with the end-user device, and includes a device malware infection status, a device patch level, and a device vulnerability;
forming a resource risk vector for the provisioned resource, the resource risk vector including at least one resource risk attribute, wherein the at least one resource risk attribute is an attribute of the provisioned-resource, is included in a resource compliance status associated with the provisioned-resource, and includes a resource malware infection status, a resource patch level, and a resource vulnerability;
forming a policy vector, the policy vector including at least one security compliance attribute, and wherein the at least one security compliance attribute represents an access risk boundary associated with the end-user device accessing the provisioned-resource;
forming a threat vector, the threat vector including at least one system risk attribute, wherein the at least one system risk attribute is based, at least in part, on comparing the device risk vector and the resource risk vector to the policy vector, and wherein the at least one system risk attribute comprises the at least one device risk attribute, the at least one resource risk attribute, and the at least one security compliance attribute;
communicating a compliance alert in response to the at least one system risk attribute included in the threat vector exceeding the at least one security compliance attribute, wherein the compliance alert comprises at least identifying the end-user or the end-user device as posing a security risk to the computing system; and
performing an access management operation including determining an access-level, wherein the access-level is associated with access to the provisioned-resource by at least one of the end-user, the end-user device, and a user account, wherein the user account is associated with the end-user, and wherein the determining the access-level is based, at least in part, on the at least one system risk attribute included in the threat vector,wherein the access management operation is included in;
provisioning the provisioned-resource to at least one of the end-user, the end-user device, and the user account;
certifying the at least one of the end-user, the end-user device, and the user account for the access to the provisioned-resource;
determining whether the access to the provisioned-resource by the at least one of the end-user, the end-user device, and the user account is within acceptable system security risk boundaries;
suspending the at least one of the end-user, the end-user device, and the user account from the access to the provisioned-resource;
determining an organizational role classification associated with the at least one of the end-user, the end-user device, and the user account; and
in response to the at least one system risk attribute included in the threat vector exceeding the at least one security compliance attribute, modifying the access level for at least one of the end-user, the end-user device, and the user account according to particular attributes included within the threat vector;
wherein the end-user is one of a first computing device, a first computer program, a first electronic device, and a first component of a first mechanical device;
wherein the end-user device is one of a second computing device, a second computer program, a second electronic device, a second component of a second mechanical device, a mobile device, a handheld device, and a component of a home appliance;
wherein the provisioned-resource is at least one of access to the computing system, a virtual machine, a programming container, a resource included in the computing system, and a service included in the computing system; and
wherein a compliance policy is utilized to determine an access level for the end-user to access the provisioned-resource.
1 Assignment
0 Petitions
Accused Products
Abstract
A management component of a computing system evaluates end-users, end-user devices, and user accounts for access to provisioned-resources of the computing system. The management component utilizes device compliance attributes to form a device risk vector associated with an end-user device. The management component further utilizes resource compliance attributes to form a resource risk vector associated with a provisioned-resource. The management component forms a policy vector utilizing compliance attributes included in a compliance policy. The management component compares the device and resource risk vectors to the policy vector to determine a threat vector, and uses the threat vector to evaluate the end-users, end-user devices, and user accounts for risk of security breach, damage to, and/or loss of components of the computing system.
66 Citations
1 Claim
-
1. A method for managing a provisioned-resource, wherein the provisioned-resource is included in a computing system, wherein an end-user device is configured for use by an end-user to access the provisioned-resource, and wherein the method comprises:
-
forming a device risk vector for the end-user device, the device risk vector including at least one device risk attribute, wherein the at least one device risk attribute is an attribute of the end-user device, is included in a device compliance status associated with the end-user device, and includes a device malware infection status, a device patch level, and a device vulnerability; forming a resource risk vector for the provisioned resource, the resource risk vector including at least one resource risk attribute, wherein the at least one resource risk attribute is an attribute of the provisioned-resource, is included in a resource compliance status associated with the provisioned-resource, and includes a resource malware infection status, a resource patch level, and a resource vulnerability; forming a policy vector, the policy vector including at least one security compliance attribute, and wherein the at least one security compliance attribute represents an access risk boundary associated with the end-user device accessing the provisioned-resource; forming a threat vector, the threat vector including at least one system risk attribute, wherein the at least one system risk attribute is based, at least in part, on comparing the device risk vector and the resource risk vector to the policy vector, and wherein the at least one system risk attribute comprises the at least one device risk attribute, the at least one resource risk attribute, and the at least one security compliance attribute; communicating a compliance alert in response to the at least one system risk attribute included in the threat vector exceeding the at least one security compliance attribute, wherein the compliance alert comprises at least identifying the end-user or the end-user device as posing a security risk to the computing system; and performing an access management operation including determining an access-level, wherein the access-level is associated with access to the provisioned-resource by at least one of the end-user, the end-user device, and a user account, wherein the user account is associated with the end-user, and wherein the determining the access-level is based, at least in part, on the at least one system risk attribute included in the threat vector, wherein the access management operation is included in; provisioning the provisioned-resource to at least one of the end-user, the end-user device, and the user account; certifying the at least one of the end-user, the end-user device, and the user account for the access to the provisioned-resource; determining whether the access to the provisioned-resource by the at least one of the end-user, the end-user device, and the user account is within acceptable system security risk boundaries; suspending the at least one of the end-user, the end-user device, and the user account from the access to the provisioned-resource; determining an organizational role classification associated with the at least one of the end-user, the end-user device, and the user account; and in response to the at least one system risk attribute included in the threat vector exceeding the at least one security compliance attribute, modifying the access level for at least one of the end-user, the end-user device, and the user account according to particular attributes included within the threat vector; wherein the end-user is one of a first computing device, a first computer program, a first electronic device, and a first component of a first mechanical device; wherein the end-user device is one of a second computing device, a second computer program, a second electronic device, a second component of a second mechanical device, a mobile device, a handheld device, and a component of a home appliance; wherein the provisioned-resource is at least one of access to the computing system, a virtual machine, a programming container, a resource included in the computing system, and a service included in the computing system; and wherein a compliance policy is utilized to determine an access level for the end-user to access the provisioned-resource.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsHockings, Christopher J., Jain, Dinesh T., Satyanarayana, Rohit U., Williams, Vincent C.
-
Primary Examiner(s)Zoubair, Noura
-
Application NumberUS15/385,177Time in Patent Office266 DaysField of SearchUS Class CurrentCPC Class CodesG06F 21/577 Assessing vulnerabilities a...G06F 2221/2113 Multi-level security, e.g. ...H04L 63/10 for controlling access to d...H04L 63/102 Entity profilesH04L 63/105 Multiple levels of securityH04L 63/14 for detecting or protecting...H04L 63/1408 by monitoring network traff...H04L 63/1433 Vulnerability analysisH04L 63/20 for managing network securi...
