MANAGING RELATIONSHIPS IN A COMPUTER SYSTEM

US 20170163689A1
Filed: 02/24/2017
Published: 06/08/2017
Est. Priority Date: 12/21/2011
Status: Active Grant

First Claim

Patent Images

1. A method in a computer network system, the method comprising:

obtaining information on trust relationships between entities in the computer network system,determining transitive reachability information for a selected entity based on the information on trust relationships,generating a transitive reachability graph describing at least one access relation of the entity based on the transitive reachability information, andperforming a management action based on the on the generated transitive reachability graph.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Certain embodiments provide means for managing automated access to computers, e.g., using SSH user keys and other kinds of trust relationships. Certain embodiments also provide for managing certificates, Kerberos credentials, and cryptographic keys. Certain embodiments provide for remediating legacy SSH key problems and for automating configuration of SSH keys, as well as for continuous monitoring.

Citations

22 Claims

1. A method in a computer network system, the method comprising:
- obtaining information on trust relationships between entities in the computer network system,determining transitive reachability information for a selected entity based on the information on trust relationships,generating a transitive reachability graph describing at least one access relation of the entity based on the transitive reachability information, andperforming a management action based on the on the generated transitive reachability graph.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, comprising displaying the generated transitive reachability graph.
  - 3. The method of claim 2, comprising at least one of displaying all access relationships of the entity,displaying all accounts and/or hosts that can be reached from each account and/or host in the computer network system,displaying entities that can access one or more accounts and/or hosts in the computer network system, anddisplaying entities that can access root accounts and/or privileged accounts in the computer network system.
  - 4. The method of claim 1, comprising generating one or more reports or alerts based on the on the generated transitive reachability graph.
  - 5. The method of claim 4, comprising generating a report or an alert in response to determining that a trust relationship crosses a configured boundary it should not cross or determining a violation of a policy.
  - 6. The method of claim 1, comprising performing a policy action based on the generated transitive reachability graph.
  - 7. The method of claim 6, comprising enforcing a security policy.
  - 8. The method of claim 7, the enforcing comprising at least one of restricting use of permitted algorithms, key sizes or trust relationship configuration methods,preventing trust relationships between functional accounts and normal user accounts, andselectively preventing access from development systems to production systems.
  - 9. The method of claim 1, wherein the obtaining comprises at least one of discovering key based trust relationships,discovering non-key based trust relationships,discovering an account on a source host that can automatically log into an account on a destination host,discovering host equivalence based access,discovering user accounts in a source host and a destination host that refer to same account or identity in a directory, anddiscovering same user account identity in a source host and a destination host.
  - 10. The method of claim 1, comprising storing the generated transitive reachability graph.

11. An apparatus comprising at least one processor, and at least one memory including computer program code, wherein the at least one memory and the computer program code are configured, with the at least one processor, to cause the apparatus toobtain information on trust relationships between entities in a computer network system,determine transitive reachability information for a selected entity based on the information on trust relationships,generate a transitive reachability graph describing at least one access relation of the entity based on the transitive reachability information, andcause a management action based on the on the generated transitive reachability graph.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 12. The apparatus of claim 11, further configured to cause a display of the generated transitive reachability graph.
  - 13. The apparatus of claim 12, configured to cause at least one ofa display of all access relationships of the entity,a display of all accounts and/or hosts that can be reached from each account and/or host in the computer network system,a display of entities that can access one or more accounts and/or hosts in the computer network system, anda display of entities that can access root accounts and/or privileged accounts in the computer network system.
  - 14. The apparatus of claim 11, further configured to generate one or more reports or alerts based on the on the generated transitive reachability graph.
  - 15. The apparatus of claim 14, configured to generate a report or an alert in response to determination of a trust relationship that crosses a configured boundary it should not cross or determination of a violation of a policy.
  - 16. The apparatus of claim 11, further configured to cause performing of a policy action based on the generated transitive reachability graph.
  - 17. The apparatus of claim 16, configured to enforce a security policy.
  - 18. The apparatus of claim 17, configured to at least one ofrestrict use of permitted algorithms, key sizes or trust relationship configuration methods,prevent trust relationships between functional accounts and normal user accounts, andselectively prevent access from development systems to production systems.
  - 19. The apparatus of claim 11, configured at least one ofdiscover key based trust relationships,discover non-key based trust relationships,discover accounts on source hosts that can automatically log into accounts on destination hosts,discover host equivalence based access,discover user accounts in source hosts and destination hosts that refer to same account or identity in a directory, anddiscover same user account identity in source hosts and destination hosts.
  - 20. The apparatus of claim 11, configured to store the generated transitive reachability graph.
  - 21. The apparatus of claim 11, comprising a key management host.

22. A non-transitory computer readable media comprising program code for causing a processor to perform instructions in a computer network system, the method performed comprising:
- obtaining information on trust relationships between entities in the computer network system,determining transitive reachability information for a selected entity based on the information on trust relationships,generating a transitive reachability graph describing at least one access relation of the entity based on the transitive reachability information, andperforming a management action based on the on the generated transitive reachability graph.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SSH Communications Security Oyj
Original Assignee
SSH Communications Security Oyj
Inventors
Ylonen, Tatu J.

Granted Patent

US 9,998,497 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/575   Secure boot

H04L 61/4523   using lightweight directory...

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/065   for group communications cr...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/10   in which an application is ...

H04L 9/083   involving central third par...

H04L 9/0891   Revocation or update of sec...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/321 : involving a third party or ...

H04L 9/3263 : involving certificates, e.g...

H04L 9/3268 : using certificate validatio...

View All

MANAGING RELATIONSHIPS IN A COMPUTER SYSTEM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

MANAGING RELATIONSHIPS IN A COMPUTER SYSTEM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links