Method and systems for controlling access to computing resources based on known security vulnerabilities
First Claim
1. A method operable on a computer for controlling the operation of a computing system in response to a security vulnerability, comprising:
- the computing system running software subject to at least one security vulnerability;
establishing a policy based on the status of the at least one security vulnerability including at least one rule and an analysis method for determining compliance with the rule;
receiving information relating to the status of the at least one security vulnerability of the software program;
processing the information relating to the status using the analysis method;
determining, based on the processing, the compliance of the at least one security vulnerability in relation to the rule; and
controlling, based on the determining, the operation of the computing system.
9 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems are provided for fine tuning access control by remote, endpoint systems to host systems. Multiple conditions/states of one or both of the endpoint and host systems are monitored, collected and fed to an analysis engine. Using one or more of many different flexible, adaptable models and algorithms, an analysis engine analyzes the status of the conditions and makes decisions in accordance with pre-established policies and rules regarding the security of the endpoint and host system. Based upon the conditions, the policies, and the analytical results, actions are initiated regarding security and access matters. In one described embodiment of the invention, the monitored conditions include software vulnerabilities.
1066 Citations
28 Claims
-
1. A method operable on a computer for controlling the operation of a computing system in response to a security vulnerability, comprising:
-
the computing system running software subject to at least one security vulnerability;
establishing a policy based on the status of the at least one security vulnerability including at least one rule and an analysis method for determining compliance with the rule;
receiving information relating to the status of the at least one security vulnerability of the software program;
processing the information relating to the status using the analysis method;
determining, based on the processing, the compliance of the at least one security vulnerability in relation to the rule; and
controlling, based on the determining, the operation of the computing system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system for controlling the operation of a computing system in response to a security vulnerability, comprising:
-
a processor;
a memory connected to the processor and storing instructions for controlling the operation of the processor to perform the steps of identifying the computing system running software subject to at least one security vulnerability;
storing a policy based on the status of the at least one security vulnerability including at least one rule and an analysis method for determining compliance with the rule;
receiving information relating to the status of the at least one known security vulnerability of the software program;
processing the information relating to the status using the analysis method;
determining, based on the processing, the compliance of the at least one security vulnerability in relation to the rule; and
controlling, based on the determining, the operation of the host computing system. - View Dependent Claims (18, 19, 20)
-
-
17-1. A method operable on a computer for controlling the access of an endpoint computing system to a host computing system in response to a security vulnerability, comprising:
-
identifying within at least one of the endpoint and host systems a plurality of conditions, each condition having a state;
operating on at least one of the host computing system and the endpoint computing system a software program subject to at least one security vulnerability;
establishing a policy based on the status of the at least one security vulnerability and the state of each of the plurality of conditions, the policy including at least one rule and an analysis method for determining compliance with the rule;
receiving information relating to the status of the at least one known security vulnerability of the software program;
receiving information relating to the state of each of the plurality of conditions;
processing the information relating to the status of the at least one known security vulnerability and the state of each of the plurality of conditions using the analysis method;
determining, based on the processing, the compliance of the at least one security vulnerability and the plurality of conditions with the rule; and
controlling, based on the determining, access of the endpoint system to a resource of the host computing system.
-
-
21. A system for controlling the access of an endpoint computing system to a host computing system in response to a security vulnerability, comprising:
-
means for identifying within at least one of the endpoint and host systems a plurality of conditions, each condition having a state;
means for operating on at least one of the host computing system and the endpoint computing system a software program subject to at least one security vulnerability;
means for establishing a policy based on the status of the at least one security vulnerability and the state of each of the plurality of conditions, the policy including at least one rule and an analysis method for determining compliance with the rule;
means for receiving information relating to the status of the at least one known security vulnerability of the software program;
means for receiving information relating to the state of each of the plurality of conditions;
means for processing the information relating to the status of the at least one known security vulnerability and the state of each of the plurality of conditions using the analysis method;
means for determining, based on the processing, the compliance of the at least one security vulnerability and the plurality of conditions with the rule; and
means for controlling, based on the determining, access of the endpoint system to a resource of the host computing system.
-
-
22. A method for generating signals to control the access of an endpoint computing system to a resource in a host computing system, comprising:
-
collecting a state for each of a plurality of conditions in at least one of the endpoint computing system and the host computing system;
collecting a status of a known security vulnerability for a software program operating on at least one of the host computing system and the endpoint computing system;
identifying a policy for determining access of the endpoint computing system to the resource, the policy including at least one rule and an analysis method for determining compliance with the rule;
processing, using the analysis method, the state of each of the plurality of conditions and the status of the known security vulnerability;
determining, based upon the processing, if the conditions and the known security vulnerability are in compliance with the rule; and
generating, based upon the determining, a signal usable to control the access of the endpoint computing system to the resource. - View Dependent Claims (23)
-
-
24. A program product containing instructions to control the operation of a computing system to control the access of an endpoint computing system to a resource in a host computing system, the instructions operable on the computing system to cause the computing system to perform a process comprising:
-
collecting a state for each of a plurality of conditions in at least one of the endpoint computing system and the host computing system;
collecting a status of a known security vulnerability for a software program operating on at least one of the host computing system and the endpoint computing system;
identifying a policy for determining access of the endpoint computing system to the resource, the policy including at least one rule and an analysis method for determining compliance with the rule;
processing, using the analysis method, the state of each of the plurality of conditions and the status of the known security vulnerability;
determining, based upon the processing, if the conditions and the known security vulnerability are in compliance with the rule; and
generating, based upon the determining, a signal usable to control the access of the endpoint computing system to the resource.
-
-
25. A method for developing a compliance policy to control the access of an endpoint computing system to a resource in a host computing system, comprising:
-
identifying a plurality of conditions in at least one of the endpoint computing system and the host computing system, each of the plurality of conditions including an associated state, at least one of the plurality of conditions relating to a risk of a known security vulnerability; and
developing a policy for determining the access of the endpoint computing system to the resource, the policy including a rule and at least one analysis method for processing the states of the plurality of conditions to determine if the plurality of conditions are in compliance with the rule. - View Dependent Claims (27)
-
-
28. A system for developing a compliance policy to control the access of an endpoint computing system to a resource in a host computing system, comprising:
-
means for identifying a plurality of conditions in at least one of the endpoint computing system and the host computing system, each of the plurality of conditions including an associated state, at least one of the plurality of conditions relating to a risk of a known security vulnerability; and
means for developing a policy for determining the access of the endpoint computing system to the resource, the policy including a rule and at least one analysis method for processing the states of the plurality of conditions to determine if the plurality of conditions are in compliance with the rule.
-
Specification