Access relationship in a computer system

US 10,523,674 B2
Filed: 06/23/2017
Issued: 12/31/2019
Est. Priority Date: 03/13/2015
Status: Active Grant

First Claim

Patent Images

1. A method in a computerized system comprising:

configuring, by a credential management apparatus, at least one source restriction for an access relationship restricting access from a source entity to a destination entity;

matching an identification of a particular authenticator against a configured authorized authenticator;

evaluating a source restriction, configured for the authorized authenticator, from the at least one source restriction, against information about one or more entities having access to the particular authenticator to determine whether the access relationship is permitted by the source restriction; and

performing a management action on information of the access relationship related to the authorized authenticator in a record of access relationships in response to determining that the access relationship is not permitted by the source restriction,wherein the management action includes at least one of storing the access relationship in the record of access relationships with a marking that the access relationship is not permitted, not storing the access relationship, or updating information about the access relationship in the record of access relationships to indicate that the access relationship is no longer permitted by a source restriction.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various mechanisms can be used for authorizing access between entities in a computing environment. Configuring such access may involve configuration data stored on one or more of the computing devices or stored externally to the computing devices. Various aspect are disclosed herein for collecting, analyzing, correlating, organizing, storing, using and/or displaying such information, for example in the form of pre-analyzed access relationships between entities in the computing environment. In accordance with an aspect access-related configuration information is collected from a plurality of entities and an access relationship between two or more entities is determined based on the configuration information. Information about the determined access relationship is stored in a non-volatile storage. The information identifies a source entity and a destination entity and the determined access relationship defines a user account associated with the source entity and authorized to log into a user account associated with the destination entity.

55 Citations

27 Claims

1. A method in a computerized system comprising:
- configuring, by a credential management apparatus, at least one source restriction for an access relationship restricting access from a source entity to a destination entity;
  
  matching an identification of a particular authenticator against a configured authorized authenticator;
  
  evaluating a source restriction, configured for the authorized authenticator, from the at least one source restriction, against information about one or more entities having access to the particular authenticator to determine whether the access relationship is permitted by the source restriction; and
  
  performing a management action on information of the access relationship related to the authorized authenticator in a record of access relationships in response to determining that the access relationship is not permitted by the source restriction,wherein the management action includes at least one of storing the access relationship in the record of access relationships with a marking that the access relationship is not permitted, not storing the access relationship, or updating information about the access relationship in the record of access relationships to indicate that the access relationship is no longer permitted by a source restriction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising storing the information about the access relationship at a database of the credential management apparatus.
  - 3. The method of claim 1, further comprising storing the information at a non-volatile memory.
  - 4. The method of claim 1, further comprising obtaining the authorized authenticator from a vault.
  - 5. The method of claim 4, wherein the obtained authenticator is for authenticating at least one of:
    - access by another entity to the source entity,access by the source entity to another entity, oruser of the source entity to another entity.
  - 6. The method of claim 1, wherein the particular authenticator comprises authentication credential for authentication of the source entity to the destination entity.
  - 7. The method of claim 6, wherein the authentication credential comprises one of an authentication password, a password file, an authorized key, or an identity key.
  - 8. The method of claim 7, wherein the authentication credential comprises a Secure Shell (SSH) key.
  - 9. The method of claim 1, wherein the authenticator comprises one of a Kerberos credential, Kerberos keytab entry, a certificate, a user account file, or a .rhosts file.
  - 10. The method of claim 1, further comprising obtaining the authenticator during boot of the host.
  - 11. The method of claim 1, further comprising determining that the access relationship is permitted by the source restriction, and storing the access relationship in a database holding the record of access relationships as a permitted access relationship.
  - 12. The method of claim 1, further comprising converting the configured source restriction into a common syntax before evaluating the source restriction.
  - 13. The method of claim 12, further comprising storing the source restriction in a database in the common syntax.
  - 14. The method of claim 12, wherein the converting comprises converting a match pattern into a regular expression with a predefined syntax.
  - 15. The method of claim 1, wherein when the evaluation indicates that an access relationship for an entity that has access to a private key used as an identity key for the access relationship related to the authorized authenticator is not permitted by the source restriction, the management action comprises generating an alert, a report, or a display.

16. An apparatus comprising:
- at least one processor; and
  
  at least one memory including computer program code, wherein the at least one memory and the computer program code are configured, with the at least one processor, to cause the apparatus to;
  
  configure at least one source restriction for access relationships restricting access from a source entity to a destination entity,match an identification of an authenticator against a configured authorized authenticator,evaluate a source restriction configured for the authorized authenticator against information about one or more entities having access to the authenticator to determine whether the access relationship is permitted by the source restriction, andperform a management action on information of an access relationship related to the authorized authenticator in a record of access relationships in response to determining that the access relationship is not permitted by the source restriction,wherein the management action includes at least one of store the access relationship with a marking that the access relationship as not permitted, not store the access relationship, or update information about the access relationship to indicate that it is no longer permitted by a source restriction.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 17. The apparatus of claim 16, wherein the source entity comprises a virtual computing device configured to operate based on Linux programming language.
  - 18. The apparatus of claim 16, configured to store the information on the at least one source restriction at a non-volatile memory.
  - 19. The apparatus of claim 16, wherein the authorized authenticator is obtained from a vault.
  - 20. The apparatus of claim 19, wherein the obtained authenticator comprises at least one authentication credential for authentication of a source entity to a destination entity.
  - 21. The apparatus of claim 20, wherein the authentication credential comprises one of an authentication password, a password file, an authorized key, or an identity key.
  - 22. The apparatus of claim 16, wherein the at least one memory and the computer program code are configured to further cause the apparatus to, in response to determining that the access relationship is permitted by the source restriction, store the access relationship in a database holding the record of access relationships as a permitted access relationship.
  - 23. The apparatus of claim 16, wherein the at least one memory and the computer program code are configured to further cause the apparatus to convert the configured source restriction into a common syntax before evaluating the source restriction.
  - 24. The apparatus of claim 23, further comprising a database for storing the source restriction in a in the common syntax.
  - 25. The apparatus of claim 16, wherein the at least one memory and the computer program code are configured to further cause the apparatus to convert a match pattern into a regular expression with a predefined syntax.
  - 26. The apparatus of claim 16, wherein the at least one memory and the computer program code are configured to further cause the apparatus to, in response to the evaluation indicating that an access relationship for an entity that has access to a private key used as an identity key for the access relationship related to the authorized authenticator is not permitted by the source restriction, generate an alert, a report, or a display.

27. A non-transitory computer readable media comprising program code for causing an apparatus comprising a processor to perform instructions comprising:
- configuring at least one source restriction for access relationships restricting access from a source entity to a destination entity;
  
  matching an identification of an authenticator against a configured authorized authenticator;
  
  evaluating a source restriction configured for the authorized authenticator against information about one or more entities having access to the authenticator to determine whether the access relationship is permitted by the source restriction; and
  
  performing a management action on information of an access relationship related to the authorized authenticator in a record of access relationships in response to determining that the access relationship is not permitted by the source restriction,wherein the management action includes at least one of storing the access relationship in the record of access relationships with a marking that the access relationship is not permitted, not storing the access relationship, or updating information about the access relationship in the record of access relationships to indicate that the access relationship is no longer permitted by a source restriction.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SSH Communications Security Oyj
Original Assignee
SSH Communications Security Oyj
Inventors
Ylonen, Tatu
Primary Examiner(s)
Lwin, Maung T

Application Number

US15/631,621
Publication Number

US 20170289164A1
Time in Patent Office

921 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/45   Structures or tools for the...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 9/08   Key distribution or managem...

H04L 9/0891   Revocation or update of sec...

Access relationship in a computer system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

55 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Access relationship in a computer system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links