Techniques for Reconciling Permission Usage with Security Policy for Policy Optimization and Monitoring Continuous Compliance

US 20140359695A1
Filed: 08/19/2013
Published: 12/04/2014
Est. Priority Date: 05/29/2013
Status: Active Grant

First Claim

Patent Images

1. An apparatus for managing a security policy having multiple policy items, the apparatus comprising:

a memory; and

at least one processor device, coupled to the memory, operative to;

(a) map permissions to the policy items which apply to usage of the permissions so as to determine which of the permissions are granted to groups of users by each of the policy items;

(b) identify at least one of the policy items mapped in step (a) that is in violation of least privilege based on a comparison of an actual permission usage with the security policy;

(c) identify at least one of the policy items mapped in step (a) that increases operational risk;

(d) verify that policy constructs in the security policy are consistent with policy constructs inferred from the actual permission usage; and

(e) identify optimizations of the security policy based on output from one or more of steps (a)-(d).

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one aspect, a method for managing a security policy having multiple policy items includes the steps of: (a) mapping permissions to the policy items which apply to usage of the permissions so as to determine which of the permissions are granted to groups of users by each of the policy items; (b) identifying at least one of the policy items mapped in step (a) that is in violation of least privilege based on a comparison of an actual permission usage with the security policy; (c) identifying at least one of the policy items mapped in step (a) that increases operational risk; (d) verifying that policy constructs in the security policy are consistent with policy constructs inferred from the actual permission usage; and (e) identifying optimizations of the security policy based on output from one or more of steps (a)-(d).

159 Citations

8 Claims

1. An apparatus for managing a security policy having multiple policy items, the apparatus comprising:
- a memory; and
  
  at least one processor device, coupled to the memory, operative to;
  
  (a) map permissions to the policy items which apply to usage of the permissions so as to determine which of the permissions are granted to groups of users by each of the policy items;
  
  (b) identify at least one of the policy items mapped in step (a) that is in violation of least privilege based on a comparison of an actual permission usage with the security policy;
  
  (c) identify at least one of the policy items mapped in step (a) that increases operational risk;
  
  (d) verify that policy constructs in the security policy are consistent with policy constructs inferred from the actual permission usage; and
  
  (e) identify optimizations of the security policy based on output from one or more of steps (a)-(d).
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, wherein the at least one processor device when performing step (b) to identify at least one of the policy items that is in violation of least privilege is operative to:
    - identify at least one of the policy items as being redundant, wherein a redundant policy item is a given one of the policy items which specifies an action regarding one or more of the permissions that is also specified by one or more other of the policy items but which have higher priority than the given policy item in an access control decision, and thereby violates least privilege.
  - 3. The apparatus of claim 1, wherein the at least one processor device when performing the step (b) to identify at least one of the policy items that is in violation of least privilege is operative to:
    - identify which of the policy items were used to authorize access requests during a given time period and therefore are relevant policy items, and which of the policy items were not used to authorize access requests during the time period, but which do permit access to some resources and are non-relevant policy items in violation of least privilege.
  - 4. The apparatus of claim 1, wherein the at least one processor device when performing the step (b) to identify at least one of the policy items that is in violation of least privilege is operative to:
    - identify users who have more than a pre-determined threshold fraction of the permissions which the users either i) do not use, or ii) use less than some pre-determined threshold number of times during a given time period and thus are over-provisioned users in violation of least privilege.
  - 5. The apparatus of claim 1, wherein the at least one processor device when performing the step (b) to identify at least one of the policy items that is in violation of least privilege is operative to:
    - identify a given one of the policy items which is overly permissive in the number of resources to which the given policy item grants access, and thus in violation of least privilege, by determining if more than a first pre-determined threshold fraction of users who are granted access to one or more of the permissions through the given policy item use less than a second pre-determined threshold fraction of the permissions granted by the given policy item within a given period of time.
  - 6. The apparatus of claim 1, wherein the at least one processor device when performing the step (c) to identify at least one of the policy items that increases operational risk is operative to:
    - track changes to the security policy based on logs of the usage of the permissions and the security policy to determine an impact the changes to the security policy have on the usage of the permissions.
  - 7. The apparatus of claim 1, wherein the at least one processor device when performing the step (d) to verify that the policy constructs in the security policy are consistent with the policy constructs inferred from the actual permission usage is operative to:
    - compare groups and roles in the policy constructs in the security policy with roles inferred from the actual permission usage to determine an amount by which the groups and roles in the security policy and the roles inferred from the actual permission usage differ.

8. An article of manufacture for managing a security policy having multiple policy items, comprising a machine-readable recordable medium containing one or more programs which when executed implement the steps of:
- (a) mapping permissions to the policy items which apply to usage of the permissions so as to determine which of the permissions are granted to groups of users by each of the policy items;
  
  (b) identifying at least one of the policy items mapped in step (a) that is in violation of least privilege based on a comparison of an actual permission usage with the security policy;
  
  (c) identifying at least one of the policy items mapped in step (a) that increases operational risk;
  
  (d) verifying that policy constructs in the security policy are consistent with policy constructs inferred from the actual permission usage; and
  
  (e) identifying optimizations of the security policy based on output from one or more of steps (a)-(d).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SailPoint Technologies Holdings, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Chari, Suresh N., Molloy, Ian M., Park, Youngja, Teiken, Wilfried

Granted Patent

US 9,288,232 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/604   Tools and structures for ma...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/20   for managing network securi...

Techniques for Reconciling Permission Usage with Security Policy for Policy Optimization and Monitoring Continuous Compliance

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

159 Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for Reconciling Permission Usage with Security Policy for Policy Optimization and Monitoring Continuous Compliance

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

159 Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links