Privileged account plug-in framework-step-up validation

US 9,674,168 B2
Filed: 03/20/2014
Issued: 06/06/2017
Est. Priority Date: 09/19/2013
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a memory storing computer-executable instructions;

a privileged access management server that provides a privileged access management service configured with a plug-in framework for accessing at least a first secure resource and a second secure resource;

a plug-in server that is isolated from the privileged access management server by a firewall; and

a processor of the privileged access management server configured to access the memory and execute the computer-executable instructions to at least;

receive, from an administrator associated with an administrative account that manages the secure resources, plug-in code for implementing a workflow that includes at least a step-up validation associated with a user attempting to access the first secure resource, the user associated with a user account;

receive, from the administrator, a request to deploy the plug-in code on the plug-in server that is isolated from the privileged access management server by a firewall in order to solve a security risk;

generate instructions for implementing the workflow on the plug-in server that is isolated from the privileged access management server based at least in part on the received plug-in code;

receive, from a computing device of the user, a log-in request including at least authentication information for authenticating the user with the privileged access management service;

securely log the user into the privileged access management service based at least in part on the authentication information;

provide access to the second secure resource after the user is securely logged into the privileged access management service and based at least in part on the authentication with the privileged access management service;

receive, from the computing device of the user, a request to access the first secure resource while the user is still logged into the privileged access management service;

based at least in part on the request to deploy the plug-in code on the plug-in server that is isolated by the firewall, transmit the instructions, to the plug-in server, to implement the workflow for performing the step-up validation to enable access of the user to the first secure by resource, the plug-in server configured to;

provide an automated message via a telephone call to a device of the administrator associated with the administrative account, the automated message identifying the request of the user to access the first secure resource, the administrative account being separate from the user account of the user and not part of another account with the user account of the user;

receive a selection, from the device of the administrator, of an option for allowing or denying the user to access the first secure resource, the selection made via a button of the device of the administrator; and

transmit the option selected by the administrator to the privileged access management server;

receive, from the plug-in server, the option selected by the administrator; and

provide access to the first secure resource based at least in part on the option selected by the administrator while the user is still logged into the privileged access management service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for managing privileged accounts via a privileged access management service are provided. In some examples, the service may be configured with a plug-in framework for accessing secure resources. In some aspects, plug-in code for implementing a workflow that includes step-up validation associated with a user attempting to access at least one secure resource may be received. Access to the at least one secure resource may be provided when the user is authenticated with respect to the service. In some examples, a request to access a second secure resource may be received. Additionally, in some examples, the workflow to perform the step-up validation may be implemented at least in response to the request to access the second secure resource. The workflow implemented based at least in part on an attribute associated with the request.

86 Citations

View as Search Results

11 Claims

1. A system, comprising:
- a memory storing computer-executable instructions;
  
  a privileged access management server that provides a privileged access management service configured with a plug-in framework for accessing at least a first secure resource and a second secure resource;
  
  a plug-in server that is isolated from the privileged access management server by a firewall; and
  
  a processor of the privileged access management server configured to access the memory and execute the computer-executable instructions to at least;
  
  receive, from an administrator associated with an administrative account that manages the secure resources, plug-in code for implementing a workflow that includes at least a step-up validation associated with a user attempting to access the first secure resource, the user associated with a user account;
  
  receive, from the administrator, a request to deploy the plug-in code on the plug-in server that is isolated from the privileged access management server by a firewall in order to solve a security risk;
  
  generate instructions for implementing the workflow on the plug-in server that is isolated from the privileged access management server based at least in part on the received plug-in code;
  
  receive, from a computing device of the user, a log-in request including at least authentication information for authenticating the user with the privileged access management service;
  
  securely log the user into the privileged access management service based at least in part on the authentication information;
  
  provide access to the second secure resource after the user is securely logged into the privileged access management service and based at least in part on the authentication with the privileged access management service;
  
  receive, from the computing device of the user, a request to access the first secure resource while the user is still logged into the privileged access management service;
  
  based at least in part on the request to deploy the plug-in code on the plug-in server that is isolated by the firewall, transmit the instructions, to the plug-in server, to implement the workflow for performing the step-up validation to enable access of the user to the first secure by resource, the plug-in server configured to;
  
  provide an automated message via a telephone call to a device of the administrator associated with the administrative account, the automated message identifying the request of the user to access the first secure resource, the administrative account being separate from the user account of the user and not part of another account with the user account of the user;
  
  receive a selection, from the device of the administrator, of an option for allowing or denying the user to access the first secure resource, the selection made via a button of the device of the administrator; and
  
  transmit the option selected by the administrator to the privileged access management server;
  
  receive, from the plug-in server, the option selected by the administrator; and
  
  provide access to the first secure resource based at least in part on the option selected by the administrator while the user is still logged into the privileged access management service.
- View Dependent Claims (2)
- - 2. The system of claim 1, wherein the access to the second secure resource is provided by checking out a password, to the user, for accessing the second secure resource or is provided by enabling a secure session, with the user, for accessing the second secure resource.

3. A non-transitory computer-readable storage memory storing a plurality of instructions executable by one or more processors, the plurality of instructions comprising:
- instructions that cause the one or more processors to receive, from an administrator associated with an administrative account that manages the secure resources, plug-in code for implementing a workflow that includes at least a step-up validation associated with a user attempting to access a first secure resource, the user associated with a user account;
  
  instructions that cause the one or more processors to receive, from the administrator, a request to deploy the plug-in code on a plug-in server that is isolated from a privileged access management server by a firewall in order to solve a security risk;
  
  instructions that cause the one or more processors to receive, from a computing device of the user, a log-in request including at least authentication information for authenticating the user with a privileged access management service provided by the privileged access management server;
  
  instructions that cause the one or more processors to securely log the user into the privileged access management service based at least in part on the authentication information;
  
  instructions that cause the one or more processors to provide access to a second secure resource after the user is securely logged into the privileged access management service and based at least in part on the authentication with the privileged access management service;
  
  instructions that cause the one or more processors to receive, from the computing device of the user, a request to access the first secure resource while the user is still logged into the privileged access management service;
  
  instructions that cause the one or more processors to transmit, to the plug-in server, the instructions to implement the workflow for performing the step-up validation to enable access of the user to the first secure resource based at least in part on the request to deploy the plug-in code on the plug-in server that is isolated by the firewall, the plug-in server configured to;
  
  provide an automated message via a telephone call to a device of the administrator associated with the administrative account, the automated message identifying the request of the user to access the first secure resource, the administrative account being separate from the user account of the user and not part of another account with the user account of the user;
  
  receive a selection, from the device of the administrator, of an option for allowing or denying the user to access the first secure resource, the selection made via a button of the device of the administrator; and
  
  transmit the option selected by the administrator to the privileged access management server;
  
  instructions that cause the one or more processors to receive, from the plug-in server, the option selected by the administrator; and
  
  instructions that cause the one or more processors to provide access to the first secure resource based at least in part on the option selected by the administrator while the user is still logged into the privileged access management service.
- View Dependent Claims (4, 5, 6)
- - 4. The non-transitory computer-readable storage memory of claim 3, wherein the plurality of instructions further comprise instructions that cause the one or more processors to generate instructions for implementing the workflow based at least in part on the received plug-in code.
  - 5. The non-transitory computer-readable storage memory of claim 3, wherein the privileged access management service enables the administrator of the secure resources to update a policy associated with accessing the secure resources while the user is logged into the privileged access management service.
  - 6. The non-transitory computer-readable storage memory of claim 3, wherein the plug-in code for implementing the workflow comprises a passcode plugin configured to request a passcode from the user or a challenge question plugin configured to request an answer to a challenge question from the user.

7. A computer-implemented method, comprising:
- receiving, from an administrator associated with an administrative account that manages the secure resources, plug-in code for implementing a workflow that includes at least a step-up validation associated with a user attempting to access a first secure resource, the user associated with a user account;
  
  receiving, from the administrator, a request to deploy the plug-in code on a plug-in server that is isolated from a privileged access management server by a firewall in order to solve a security risk;
  
  generating instructions for implementing the workflow on the plug-in server that is isolated from the privileged access management server based at least in part on the received plug-in code;
  
  receiving, from a computing device of the user, a log-in request including at least authentication information for authenticating the user with a privileged access management service provided by the privileged access management server;
  
  securely logging the user into the privileged access management service based at least in part on the authentication information;
  
  providing access to a second secure resource after the user is securely logged into the privileged access management service and based at least in part on the authentication with the privileged access management service;
  
  receiving, from the computing device of the user, a request to access the first secure resource while the user is still logged into the privileged access management service;
  
  based at least in part on the request to deploy the plug-in code on the plug-in server that is isolated by the firewall, transmitting the instructions, to the plug-in server, to implement the workflow for performing the step-up validation to enable access of the user to the first secure resource, the plug-in server configured to;
  
  provide an automated message via a telephone call to a device of the administrator associated with the administrative account, the automated message identifying the request of the user to access the first secure resource, the administrative account being separate from the user account of the user and not part of another account with the user account of the user;
  
  receive a selection, from the device of the administrator, of an option for allowing or denying the user to access the first secure resource, the selection made via a button of the device of the administrator; and
  
  transmit the option selected by the administrator to the privileged access management server;
  
  receiving, from the plug-in server, the option selected by the administrator; and
  
  providing access to the first secure resource based at least in part on the option selected by the administrator while the user is still logged into the privileged access management service.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The computer-implemented method of claim 7, wherein the plug-in framework enables the administrator of the secure resources to update a policy associated with accessing the secure resources while the user is logged into the privileged access management service.
  - 9. The computer-implemented method of claim 7, further comprising generating instructions for implementing the workflow based at least in part on the received plug-in code.
  - 10. The computer-implemented method of claim 7, wherein the access to the second secure resource is provided by checking out a password, to the user, for accessing the second secure resource or is provided by enabling a secure session, with the user, for accessing the second secure resource.
  - 11. The computer-implemented method of claim 7, wherein the plug-in code for implementing the workflow comprises a passcode plugin configured to request a passcode from the user or a challenge question plugin configured to request an answer to a challenge question from the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Ho, Fannie, Sharma, Himanshu, Theebaprakasam, Arun, Lee, Kwan-I, Kottahachchi, Buddhika, Sathyanarayan, Ramaprakash Hosalli, Wang, Zhe
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
Stoica, Adrian

Application Number

US14/221,203
Publication Number

US 20150082372A1
Time in Patent Office

1,174 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/30   Authentication, i.e. establ...

G06F 21/604   Tools and structures for ma...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/102   Entity profiles

H04L 67/562   Brokering proxy services

Privileged account plug-in framework-step-up validation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

86 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Privileged account plug-in framework-step-up validation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links