SCALABLE AND AUTOMATED SECRET MANAGEMENT

US 20140165167A1
Filed: 12/12/2012
Published: 06/12/2014
Est. Priority Date: 12/12/2012
Status: Active Grant

First Claim

Patent Images

1. A method for secret management, comprising:

automatically generating a first secret used to access a resource;

securely storing the first secret with other secrets;

determining when a request is made from a user for the first secret;

providing the first secret to access the resource a single time;

determining when the first secret has expired;

determining when the user is authorized to access the resource by using a lockbox to analyze a plurality of predefined conditions, wherein the lockbox evaluates user authorization at predetermined intervals;

automatically generating a second secret to replace the first secret in response to determining that the first secret has expired and the user is authorized to access the resource; and

replacing the first secret with the second secret.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secret (e.g. a password, key, certificate) is automatically generated by a system. For example, at the time of deployment of a computing machine, a password may be generated and securely stored by the system with other secrets. The password may be used by the system to perform various operations (e.g. configuring the machine, . . . ). When a secret is requested by a user to access a resource, a secret is provided to the user. Once the secret has been utilized by the user, the secret is reset and replaced with a newly generated secret. All/portion of the secrets may also be automatically regenerated. For example, when a breach occurs and/or is suspected, each of the secrets may be replaced with newly generated secrets and securely stored. Auditing and reporting may also be provided (e.g. each request/access to a secret is logged).

20 Citations

22 Claims

1. A method for secret management, comprising:
- automatically generating a first secret used to access a resource;
  
  securely storing the first secret with other secrets;
  
  determining when a request is made from a user for the first secret;
  
  providing the first secret to access the resource a single time;
  
  determining when the first secret has expired;
  
  determining when the user is authorized to access the resource by using a lockbox to analyze a plurality of predefined conditions, wherein the lockbox evaluates user authorization at predetermined intervals;
  
  automatically generating a second secret to replace the first secret in response to determining that the first secret has expired and the user is authorized to access the resource; and
  
  replacing the first secret with the second secret.
- View Dependent Claims (2, 5, 6, 7, 8, 9, 21, 22)
- - 2. The method of claim 1, further comprising logging each request and use of the secrets.
  - 5. The method of claim 1, wherein determining when the first secret has expired comprises determining when an operation involving the resource has been completed.
  - 6. The method of claim 1, wherein determining when the first secret has expired comprises determining when the first secret has been used to log into a machine.
  - 7. The method of claim 1, further comprising automatically replacing at least a portion of the stored secrets with automatically generated replacement secrets.
  - 8. The method of claim 1, further comprising generating a first secret for each machine in a service upon deployment of the machine in the service.
  - 9. The method of claim 1, wherein the first secret is used a single time and then automatically replaced with the second secret.
  - 21. The method of claim 1, wherein using a lockbox that analyzes a plurality of predefined conditions, further comprises revoking the user authorization to access the resource.
  - 22. The method of claim 1, wherein using a lockbox that analyzes a plurality of predefined conditions, further comprises assigning an expiration interval to the user authorization.

3-4. -4. (canceled)

10. A computer-readable storage device storing computer-executableinstructions for secret management, comprising:
- automatically generating a first secret used to access a resource;
  
  securely storing the first secret with other secrets;
  
  determining when a request is made from a user for the first secret;
  
  providing the first secret to access the resource a single time;
  
  determining when the first secret has expired;
  
  determining when the user is authorized to access the resource by using a lockbox that analyzes a plurality of predefined conditions, wherein the lockbox evaluates user authorization at predetermined intervals;
  
  automatically generating a second secret to replace the first secret in response to determining at least one of;
  
  the first secret has expired and the user is authorized to have access to the resource; and
  
  replacing the first secret with the second secret.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The computer-readable storage device of claim 10, further comprising logging each request and use of the secrets.
  - 12. The computer-readable storage device of claim 10, wherein generating the second secret comprises determining when the user has accessed the resource.
  - 13. The computer-readable storage device of claim 10, wherein determining when the first secret has expired comprises determining when an operation involving the resource has been completed.
  - 14. The computer-readable storage device of claim 10, further comprising automatically replacing at least a portion of the stored secrets with automatically generated replacement secrets in response to a determined security breach.
  - 15. The computer-readable storage device of claim 10, further comprising generating a first secret for each machine in a service upon deployment of the machine in the service.
  - 16. The computer-readable storage device of claim 10, wherein the first secret is used a single time and then automatically replaced with the second secret.

17. A system for secret management, comprising:
- a processor and a memory;
  
  an operating environment executing using the processor; and
  
  a secret manager that is configured to perform actions comprising;
  
  automatically generating a first secret used to access a resource;
  
  securely storing the first secret with other secrets;
  
  determining when a request is made from a user for the first secret;
  
  providing the first secret to access the resource a single time;
  
  determining when the first secret has expired;
  
  determining when the user is authorized to access the resource by using a lockbox that analyzes a plurality of predefined conditions, wherein the lockbox evaluates user authorization at predetermined intervals;
  
  automatically generating a second secret to replace the first secret in response to determining at least one of;
  
  the first secret has expired and the user is authorized to have access to the resource; and
  
  replacing the first secret with the second secret.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, further comprising logging each request and use of the secrets.
  - 19. The system of claim 17, wherein generating the second secret comprises determining when the user has accessed the resource.
  - 20. The system of claim 17, wherein determining when the first secret has expired comprises determining when an operation involving the resource has been completed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Lukyanov, Andrey, Rajagopalan, Rajmohan, Brady, Shane, Nunn, James, Friedman, Michael, Hawley, Rage, Atwood, Bryan

Granted Patent

US 8,881,249 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/45   Structures or tools for the...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

SCALABLE AND AUTOMATED SECRET MANAGEMENT

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

SCALABLE AND AUTOMATED SECRET MANAGEMENT

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links