Crowd Sourced Access Approvals
US-2015381629-A1 · Dec 31, 2015 · US
Policy-driven approach to managing privileged/shared identity in an enterprise
US9529993B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9529993-B2 |
| Application number | US-201213411112-A |
| Country | US |
| Kind code | B2 |
| Filing date | Mar 2, 2012 |
| Priority date | Mar 2, 2012 |
| Publication date | Dec 27, 2016 |
| Grant date | Dec 27, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Access to a privileged account is managed by first requiring authentication of a user logging into the account and then performing a policy evaluation to determine whether the identified user is allowed to log in using the privileged identity. Preferably, the authentication is a two factor authentication. The policy evaluation preferably enforces a policy, such as a role-based access control, and a context-based access control, a combination of such access controls, or the like. Thus, according to this approach, the entity is provided access to the privileged account if the user's identity is verified and a policy is met. In the alternative, the entity is denied access to the privileged account if either the authentication fails, or (assuming authentication does not fail) policy criteria for the user is not met.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method to manage privileged accounts associated with an enterprise, comprising: determining that an entity is attempting to logon to a privileged account that enables administrative control over a computing resource, wherein a privileged account is a non-personal account accessible using a shared privileged account credential; in response to determining that the entity is attempting to logon to the privileged account, initiating a second factor of authentication by prompting the entity to provide additional identifying information; determining, using software executing in a hardware element, that the entity is authorized to login to the privileged account by verifying the additional identifying information to identify the entity; in response to determining that the entity is authorized to login to the privileged account, verifying, using an access control policy, that the entity that has been identified by verifying the additional identifying information also is allowed, per the access control policy, to logon to the privileged account using the shared privileged account credential; providing the entity access to the privileged account when according to the access control policy the entity that has been identified by verifying the additional identifying information also is allowed to logon to the privileged account; and logging information about the entity access to the privileged account, the information logged identifying the entity based on the additional identifying information provided in response to the prompting. 2. The method as described in claim 1 wherein the determining that an entity is attempting to logon to a privileged account determines whether the entity is attempting to logon using the shared privileged account credential. 3. The method as described in claim 1 wherein the additional identifying information is a credential uniquely associated with the entity. 4. The method as described in claim 1 wherein the access control policy is one of: a role-based access control, a context-based access control, and an identity-context-based access control. 5. The method as described in claim 1 wherein the determining step verifies that information provided by the entity matches the shared privileged account credential associated with the privileged account. 6. The method as described in claim 1 further including denying the entity access to the privileged account when, based on the additional identifying information received following the prompt or information in the policy, the entity is not authorized to login to the privileged account. 7. The method as described in claim 1 wherein the entity is a user or an application associated with the entity. 8. The method as described in claim 1 wherein determining that an entity is attempting to logon to the privileged account further includes: determining whether a cryptographic signature associated with the logon can be verified, and if the cryptographic signature cannot be verified, prompting the entity to provide the additional identifying information. 9. The method as described in claim 8 wherein the entity is a programmatic entity. 10. Apparatus, comprising: a processor; computer memory holding computer program instructions executed by the processor to manage privileged accounts associated with an enterprise by: determining that an entity is attempting to logon to a privileged account that enables administrative control over a computing resource, wherein a privileged account is a non-personal account accessible using a shared privileged account credential; in response to determining that the entity is attempting to logon to the privileged account, initiating a second factor of authentication by prompting the entity to provide additional identifying information; determining that the entity is authorized to login to the privileged account by verifying the additional identifying information to identify the entity; in response to determining that the entity is authorized to login to the privileged account, verifying, using an access control policy, that the entity that has been identified by verifying the additional identifying information also is allowed, per the access control policy, to logon to the privileged account using the shared privileged account credential; providing the entity access to the privileged account when according to the access control policy the entity that has been identified by verifying the additional identifying information also is allowed to logon to the privileged account; and logging information about the entity access to the privileged account, the information logged identifying the entity based on the additional identifying information provided in response to the prompting. 11. The apparatus as described in claim 10 wherein the determining that an entity is attempting to logon to a privileged account determines whether the entity is attempting to logon using the shared privileged account credential. 12. The apparatus as described in claim 10 wherein the additional identifying information is a credential uniquely associated with the entity. 13. The apparatus as described in claim 10 wherein the access control policy is one of: a role-based access control, a context-based access control, and an identity context-based access control. 14. The apparatus as described in claim 10 wherein the determining step verifies that information provided by the entity matches the shared privileged account credential associated with the privileged account. 15. The apparatus as described in claim 10 wherein the computer program instructions are further executed to deny the entity access to the privileged account when, based on the additional identifying information received following the prompt or information in the policy, the entity is not authorized to login to the privileged account. 16. The apparatus as described in claim 10 wherein the entity is a user or an application associated with the entity. 17. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions which, when executed by the data processing system, manage privileged accounts associated with an enterprise the method comprising by: determining that an entity is attempting to logon to a privileged account that enables administrative control over a computing resource, wherein a privileged account is a non-personal account accessible using a shared privileged account credential; in response to determining that the entity is attempting to logon to the privileged account, initiating a second factor of authentication by prompting the entity to provide additional identifying information; determining that the entity is authorized to login to the privileged account by verifying the additional identifying information to identify the entity; in response to determining that the entity is authorized to login to the privileged account, verifying, using an access control policy, that the entity that has been identified by verifying the additional identifying information also is allowed, per the access control policy, to logon to the privileged account using the shared privileged account credential; providing the entity access to the privileged account when according to the access control policy the entity that has been identified by verifying the additional identifying information also is allowed to logon to the privileged account; and logging information about the entity access to the priv
Assignees
Inventors
Classifications
applying multi-factor authentication · CPC title
Entity profiles · CPC title
Clearing memory, e.g. to prevent the data from being stolen · CPC title
- G06F21/40Primary
by quorum, i.e. whereby two or more security principals are required · CPC title
using certificates · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9529993B2 cover?
- Access to a privileged account is managed by first requiring authentication of a user logging into the account and then performing a policy evaluation to determine whether the identified user is allowed to log in using the privileged identity. Preferably, the authentication is a two factor authentication. The policy evaluation preferably enforces a policy, such as a role-based access control, a…
- Who is the assignee on this patent?
- Kapadia Kaushal Kiran, Gupta Gaurav, Jaiswal Rohit, and 3 more
- What technology area does this patent fall under?
- Primary CPC classification G06F21/40. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Dec 27 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).