US20040128537A1 - Retrospective policy safety net - Google Patents

Retrospective policy safety net Download PDF

Info

Publication number
US20040128537A1
US20040128537A1 US10/331,742 US33174202A US2004128537A1 US 20040128537 A1 US20040128537 A1 US 20040128537A1 US 33174202 A US33174202 A US 33174202A US 2004128537 A1 US2004128537 A1 US 2004128537A1
Authority
US
United States
Prior art keywords
policy
access
entries
comparing
group
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10/331,742
Inventor
Mary Zurko
George Blakley
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Priority to US10/331,742 priority Critical patent/US20040128537A1/en
Assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION reassignment INTERNATIONAL BUSINESS MACHINES CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BLAKLEY, GEORGE R., III, ZURKO, MARY ELLEN
Publication of US20040128537A1 publication Critical patent/US20040128537A1/en
Priority to US12/607,633 priority patent/US8474006B2/en
Priority to US13/838,358 priority patent/US8904476B2/en
Priority to US14/521,989 priority patent/US9148433B2/en
Priority to US14/823,423 priority patent/US9503458B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2101Auditing as a secondary aspect

Definitions

  • This invention generally relates to methods and systems for evaluating access policy changes, and more specifically, to methods and systems for determining how a policy change would have influenced past actions as a predictor for future problems.
  • An administrator may discover that some resource, like a discussion database, has its Access Control List (ACL) set to allow anyone to read it. To tighten security, they will remove that entry. Now, they need to be concerned with a surge of help desk calls from the people who were relying on that access to get their job done, who are not explicitly listed in the remaining ACL.
  • ACL Access Control List
  • Another object of the invention is to determine how a policy change would have influenced past actions.
  • the invention may be embodied in a live system.
  • further steps may include submitting either or both of the second policy or the changes to the first policy that produce that second policy.
  • the present invention can tell someone changing a policy how that policy change would have influenced past (retrospective) actions. It compares the policy change against some history of past actions, and tells the administrator what happened in the past that could not happen in the future because of this change. The administrator can consider whether that is going to be desirable or not.
  • the preferred procedure includes configuring which of a set of four courses of action to take.
  • This invention generally, relates to a method and system for evaluating access policy changes.
  • the method comprises the step 12 of providing an access control mechanism 14 having a first policy 16 , and an audit log 20 having entries 22 of accesses made under that first policy.
  • the method comprises the further steps, represented at 24 , 26 and 30 , respectively, of submitting a second policy 32 to the access control mechanism, comparing at 34 the log entries to the second policy, and based on the results of the comparing step, taking one of a predetermined number of actions.
  • Any suitable hardware may be used to practice the present invention.
  • any suitable computer or computer network may be used to implement the access control mechanism 14
  • any suitable monitor or display 36 may be used to display the results of comparing the log entries to the second policy.

Abstract

These and other objectives are attained with a method and system for evaluating an access policy change. The method comprises the step of providing an access control mechanism having a first policy, and an audit log having entries of accesses made under that first policy. The method comprises the further steps of submitting a second policy to the access control mechanism, comparing the log entries to the second policy, and based on the results of the comparing step, taking one of a predetermined number of actions.

Description

    BACKGROUND OF THE INVENTION
  • 1. Field of the Invention [0001]
  • This invention generally relates to methods and systems for evaluating access policy changes, and more specifically, to methods and systems for determining how a policy change would have influenced past actions as a predictor for future problems. [0002]
  • 2. Background Art [0003]
  • It is often difficult for computer network administrators to be sure they are doing something both secure and efficient when they change policy information that controls user behavior. Prior art procedures for changing policy information generally focus on controlling access to information but do not apply to all potentially restrictive policy information. [0004]
  • An administrator may discover that some resource, like a discussion database, has its Access Control List (ACL) set to allow anyone to read it. To tighten security, they will remove that entry. Now, they need to be concerned with a surge of help desk calls from the people who were relying on that access to get their job done, who are not explicitly listed in the remaining ACL. [0005]
  • The concept of one active policy and several latent policies is known. Latent policies can be queried against before becoming active, to understand the impact of changes. However, most administrators who change policies do not know what to check, and what to ask about, and do not have the time to think about it. [0006]
    • SUMMARY OF THE INVENTION
  • An object of this invention is to improve methods and systems for evaluating access policy changes. [0007]
  • Another object of the invention is to determine how a policy change would have influenced past actions. [0008]
  • A further object of the present invention is to compare a policy change against some history of past actions and to tell a computer network administrator what happened in the past that could not happen in the future because of this change. [0009]
  • A further object of the invention is to make changes to a policy based on a comparison with a past policy and a prediction about how important that change will be going forward. [0010]
  • These and other objectives are attained with a method and system for evaluating an access policy change. The method comprises the step of providing an access control mechanism having a first policy, and an audit log having entries of accesses made under that first policy. The method comprises the further steps of submitting a second policy to the access control mechanism, comparing the log entries to the second policy, and based on the results of the comparing step, taking one of a predetermined number of actions. [0011]
  • For example, these predetermined actions may be (i) making the change with a warning, (ii) rejecting the change, (iii) making a different change so that the things that happened in the log are still allowed, but some other things are not allowed (newly disallowed), and (iv) displaying the problem to the administrator and let them decide what to do. The choice among these actions might be configured in a number of ways. For instance, sites can configure which of those actions are appropriate. Alternatively, which actions the system takes can be based on information in the policies, in the changes, in the users that would be denied or their attributes, or in the actions that would be denied and their attributes. For example, a configuration could say that if the users who would be denied an access are listed in the corporate directory as active employees and the action that they took that would be denied is less than one week old, alter the policy to continue to allow the action and log the warning to an administrator. [0012]
  • Also, the invention may be embodied in a live system. In one embodiment, further steps may include submitting either or both of the second policy or the changes to the first policy that produce that second policy. In addition, in a preferred procedure, the present invention can tell someone changing a policy how that policy change would have influenced past (retrospective) actions. It compares the policy change against some history of past actions, and tells the administrator what happened in the past that could not happen in the future because of this change. The administrator can consider whether that is going to be desirable or not. The preferred procedure includes configuring which of a set of four courses of action to take. [0013]
  • Further benefits and advantages of the invention will become apparent from a consideration of the following detailed description, given with reference to the accompanying drawings, which specify and show preferred embodiments of the invention.[0014]
    • BRIEF DESCRIPTION OF THE DRAWING
  • FIG. 1 is a flow chart illustrating a preferred procedure embodying this invention. [0015]
  • FIG. 2 illustrates the operation of this invention. [0016]
    • DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • This invention, generally, relates to a method and system for evaluating access policy changes. With references to FIGS. 1 and 2, the method comprises the [0017] step 12 of providing an access control mechanism 14 having a first policy 16, and an audit log 20 having entries 22 of accesses made under that first policy. The method comprises the further steps, represented at 24, 26 and 30, respectively, of submitting a second policy 32 to the access control mechanism, comparing at 34 the log entries to the second policy, and based on the results of the comparing step, taking one of a predetermined number of actions.
  • For example, these predetermined actions may be (i) making the change with a warning, (ii) rejecting the change, (iii) making a different change so that the things that happened in the log are still allowed, but some other things are not allowed (newly disallowed), and (iv) displaying, as represented at [0018] 36, the problem to the administrator and let them decide what to do. The choice among these actions might be configured in a number of ways. For instance, sites can configure which of those actions are appropriate. Alternatively, which actions the system takes can be based on information in the policies, in the changes, in the users that would be denied or their attributes, or in the actions that would be denied and their attributes. For example, a configuration could say that if the users who would be denied an access are listed in the corporate directory as active employees and the action that they took that would be denied is less than one week old, alter the policy to continue to allow the action and log the warning to an administrator.
  • The present invention, it may be noted, may be embodied in a live system. In addition, in a preferred procedure, the present invention can tell someone changing a policy how that policy change would have influenced past (retrospective) actions. It compares the policy change against some history of past actions, and tells the administrator what happened in the past that could not happen in the future because of this change. The administrator can consider whether that is going to be desirable or not. The preferred procedure includes configuring which of a set of four courses of action to take. [0019]
  • The most straightforward implementation of this invention involves a simple access control mechanism (say an ACL) and a log or audit history of actions that were controlled by the access control mechanism. For example, take a Domino ACL with the ability to compute a person's current effective access, and an audit log of accesses to a Domino database that includes the identity of the person taking the action and the particular action. The actions that can be taken are directly mapped to permissions in the ACL via a table. For example, the read action is mapped to the reader level. [0020]
  • When a change to the ACL is being made or proposed, with any suitable algorithm, some number of audit entries are compared against the new ACL. The effective access of the person in the audit entry is calculated, and that access is compared to the action in the audit record. If the action in the audit record is no longer allowed, it is displayed for the administrator in some form that allows the administrator to understand what it was and why it would be no longer allowed by the new ACL. [0021]
  • The system of this invention can be configured to take a number of actions, depending on site policy. For instance, the change can be made (and a warning logged) or the change can be rejected (with notification). As another example, the system can modify the change to “fix” it, so that the past event in the audit log would still be allowed, but other events covered by the original change would be newly disallowed. This is possible for policy modifications that target a group of users, a group of actions, a group of objects, or a number of contextual constraints. [0022]
  • For example, if the change to an ACL is to deny an action to a group of users (or to remove a group of users from an ACL such that actions previously allowed would be denied), then a companion “fix up” change would add an entry for the single user in the conflicting audit event to allow that action, such that it would take precedence over the new group disallowed entry, or it would maintain the ability to take the action that removing an entry would disallow. Similar examples are possible for the other types of groupings. [0023]
  • Any suitable hardware may be used to practice the present invention. For example, any suitable computer or computer network may be used to implement the [0024] access control mechanism 14, and any suitable monitor or display 36 may be used to display the results of comparing the log entries to the second policy.
  • While it is apparent that the invention herein disclosed is well calculated to fulfill the objects stated above, it will be appreciated that numerous modifications and embodiments may be devised by those skilled in the art, and it is intended that the appended claims cover all such modifications and embodiments as fall within the true spirit and scope of the present invention. [0025]

Claims (18)

What is claimed is:
1. A method of evaluating an access policy change, comprising the steps of:
providing an access control mechanism having a first policy, and an audit log having entries of accesses made under said first policy;
submitting a second policy to said access control mechanism;
comparing said entries to said second policy; and
based on the results of the comparing step, taking one of a predetermined number of actions.
2. A method according to claim 1, wherein:
each entry in the log identifies a person and an associated action; and
the comparing step includes the step of, for each of a group of the entries, determining whether the person identified in the action has access under the second policy to the associated action.
3. A method according to claim 1, wherein the taking step includes the step of displaying any of said entries which do not have access under said second policy.
4. A method according to claim 1, wherein the taking step includes the step of modifying the second policy, using one of a group of predefined procedures, based on the results of the comparing step.
5. A method according to claim 4, wherein a defined group of users has access to a specified action under the first policy and do not have access to the specified action under the second policy, and wherein the modifying step includes the step of altering the second policy so that said second policy provides a subset of said group of users with access to the specified action.
6. A method according to claim 1, wherein the comparing step includes the step of comparing said entries to the second policy before the second policy becomes active.
7. A system for evaluating an access policy change, comprising:
means providing an access control mechanism having a first policy, and an audit log having entries of accesses made under said first policy, said access control mechanism including
means for receiving a second policy;
means for comparing said entries to said second policy; and
comprises means for taking one of a predetermined number of actions based on the results of the comparing means.
8. A system according to claim 7, wherein:
each entry in the log identifies a person and an associated action; and
the means for comparing includes means for determining, for each of a group of the entries,
action.
9. A system according to claim 7, wherein the means for taking includes means for displaying any of said entries which do not have access under said second policy.
10. A system according to claim 7, wherein the means for taking includes means for modifying the second policy, using one of a group of predefined procedures, based on the results of the comparing means.
11. A system according to claim 9, wherein a defined group of users has access to a specified action under the first policy and do not have access to the specified action under the second policy, and wherein the modifying means includes means for altering the second policy so that said second policy provides a subset of said group of users with access to the specified action.
12. A system according to claim 11, wherein the comparing means compares said entries to the second policy before the second policy becomes active.
13. A program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for evaluating an access policy change, said method steps comprising:
providing an access control mechanism having a first policy, and an audit log having entries of accesses made under said first policy;
submitting a second policy to said access control mechanism;
comparing said entries to said second policy; and
based on the results of the comparing step, taking one of a predetermined number of actions.
14. A program storage device according to claim 13, wherein:
each entry in the log identifies a person and an associated action; and
the comparing step includes the step of, for each of a group of the entries, determining whether
the person identified in the action has access under the second policy to the associated action.
15. A program storage device according to claim 13, wherein the taking step includes the step of displaying any of said entries which do not have access under said second policy
16. A program storage device according to claim 15, wherein the taking step includes the step of modifying the second policy, using one of a group of predefined procedures, based on the results of the taking step.
17. A program storage device according to claim 16, wherein a defined group of users has access to a specified action under the first policy and do not have access to the specified action under the second policy, and wherein the modifying step includes the step of altering the second policy so that said second policy provides a subset of said group of users with access to the specified action.
18. A method according to claim 13, wherein the comparing step includes the step of comparing said entries to the second policy before the second policy becomes active.
US10/331,742 2002-12-30 2002-12-30 Retrospective policy safety net Abandoned US20040128537A1 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
US10/331,742 US20040128537A1 (en) 2002-12-30 2002-12-30 Retrospective policy safety net
US12/607,633 US8474006B2 (en) 2002-12-30 2009-10-28 Retrospective policy safety net
US13/838,358 US8904476B2 (en) 2002-12-30 2013-03-15 Retrospective policy safety net
US14/521,989 US9148433B2 (en) 2002-12-30 2014-10-23 Retrospective policy safety net
US14/823,423 US9503458B2 (en) 2002-12-30 2015-08-11 Retrospective policy safety net

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US10/331,742 US20040128537A1 (en) 2002-12-30 2002-12-30 Retrospective policy safety net

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US12/607,633 Continuation US8474006B2 (en) 2002-12-30 2009-10-28 Retrospective policy safety net

Publications (1)

Publication Number Publication Date
US20040128537A1 true US20040128537A1 (en) 2004-07-01

Family

ID=32654815

Family Applications (5)

Application Number Title Priority Date Filing Date
US10/331,742 Abandoned US20040128537A1 (en) 2002-12-30 2002-12-30 Retrospective policy safety net
US12/607,633 Expired - Fee Related US8474006B2 (en) 2002-12-30 2009-10-28 Retrospective policy safety net
US13/838,358 Expired - Fee Related US8904476B2 (en) 2002-12-30 2013-03-15 Retrospective policy safety net
US14/521,989 Expired - Fee Related US9148433B2 (en) 2002-12-30 2014-10-23 Retrospective policy safety net
US14/823,423 Expired - Fee Related US9503458B2 (en) 2002-12-30 2015-08-11 Retrospective policy safety net

Family Applications After (4)

Application Number Title Priority Date Filing Date
US12/607,633 Expired - Fee Related US8474006B2 (en) 2002-12-30 2009-10-28 Retrospective policy safety net
US13/838,358 Expired - Fee Related US8904476B2 (en) 2002-12-30 2013-03-15 Retrospective policy safety net
US14/521,989 Expired - Fee Related US9148433B2 (en) 2002-12-30 2014-10-23 Retrospective policy safety net
US14/823,423 Expired - Fee Related US9503458B2 (en) 2002-12-30 2015-08-11 Retrospective policy safety net

Country Status (1)

Country Link
US (5) US20040128537A1 (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060075461A1 (en) * 2004-10-01 2006-04-06 Microsoft Corporation Access authorization having a centralized policy
US20060075462A1 (en) * 2004-10-01 2006-04-06 Microsoft Corporation Access authorization having embedded policies
US20060075469A1 (en) * 2004-10-01 2006-04-06 Microsoft Corporation Integrated access authorization
US20060288050A1 (en) * 2005-06-15 2006-12-21 International Business Machines Corporation Method, system, and computer program product for correlating directory changes to access control modifications
EP1643343A3 (en) * 2004-10-01 2007-01-10 Microsoft Corporation Integrated access authorization
US7904956B2 (en) 2004-10-01 2011-03-08 Microsoft Corporation Access authorization with anomaly detection
JP2011197747A (en) * 2010-03-17 2011-10-06 Ricoh Co Ltd Database access management system, management method, and program
JP2012155546A (en) * 2011-01-26 2012-08-16 Fujitsu Ltd Access control data edition support program, access control data edition support device and access control data edition support method
US20140165189A1 (en) * 2012-12-08 2014-06-12 International Business Machines Corporation Directing Audited Data Traffic to Specific Repositories
US20150012967A1 (en) * 2012-03-09 2015-01-08 Mcafee, Inc. System and method for flexible network access control policies in a network environment
US20150295932A1 (en) * 2014-04-09 2015-10-15 Dell Products L.P. Access control list lockout prevention system
US20200007546A1 (en) * 2018-06-28 2020-01-02 Intel Corporation Technologies for updating an access control list table without causing disruption

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10237281B2 (en) * 2009-12-29 2019-03-19 International Business Machines Corporation Access policy updates in a dispersed storage network
US9607142B2 (en) * 2011-09-09 2017-03-28 International Business Machines Corporation Context aware recertification
US9769173B1 (en) * 2014-10-27 2017-09-19 Amdocs Software Systems Limited System, method, and computer program for allowing users access to information from a plurality of external systems utilizing a user interface
US10986131B1 (en) * 2014-12-17 2021-04-20 Amazon Technologies, Inc. Access control policy warnings and suggestions
US10043030B1 (en) 2015-02-05 2018-08-07 Amazon Technologies, Inc. Large-scale authorization data collection and aggregation
CN107515879B (en) * 2016-06-16 2021-03-19 伊姆西Ip控股有限责任公司 Method and electronic equipment for document retrieval
US11902280B1 (en) * 2021-07-23 2024-02-13 Trend Micro Incorporated Internet access control based on external third-party data

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6327618B1 (en) * 1998-12-03 2001-12-04 Cisco Technology, Inc. Recognizing and processing conflicts in network management policies
US6408336B1 (en) * 1997-03-10 2002-06-18 David S. Schneider Distributed administration of access to information
US6470339B1 (en) * 1999-03-31 2002-10-22 Hewlett-Packard Company Resource access control in a software system
US6484261B1 (en) * 1998-02-17 2002-11-19 Cisco Technology, Inc. Graphical network security policy management
US20020178380A1 (en) * 2001-03-21 2002-11-28 Gold Wire Technology Inc. Network configuration manager
US6499110B1 (en) * 1998-12-23 2002-12-24 Entrust Technologies Limited Method and apparatus for facilitating information security policy control on a per security engine user basis
US20030115204A1 (en) * 2001-12-14 2003-06-19 Arkivio, Inc. Structure of policy information for storage, network and data management applications
US6711687B1 (en) * 1998-11-05 2004-03-23 Fujitsu Limited Security monitoring apparatus based on access log and method thereof
US20050004823A1 (en) * 2002-10-28 2005-01-06 Hnatio John H. Systems and methods for complexity management
US6941455B2 (en) * 2000-06-09 2005-09-06 Northrop Grumman Corporation System and method for cross directory authentication in a public key infrastructure

Family Cites Families (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4956769A (en) * 1988-05-16 1990-09-11 Sysmith, Inc. Occurence and value based security system for computer databases
US5557747A (en) * 1993-06-22 1996-09-17 Rogers; Lawrence D. Network policy implementation system for performing network control operations in response to changes in network state
JPH07141296A (en) 1993-11-15 1995-06-02 Hitachi Ltd Security management device in open decentralized environment
JP2000503154A (en) * 1996-01-11 2000-03-14 エムアールジェイ インコーポレイテッド System for controlling access and distribution of digital ownership
US5991877A (en) * 1997-04-03 1999-11-23 Lockheed Martin Corporation Object-oriented trusted application framework
JP3937548B2 (en) * 1997-12-29 2007-06-27 カシオ計算機株式会社 Data access control device and program recording medium thereof
US6339826B2 (en) * 1998-05-05 2002-01-15 International Business Machines Corp. Client-server system for maintaining a user desktop consistent with server application user access permissions
US6571274B1 (en) * 1998-11-05 2003-05-27 Beas Systems, Inc. Clustered enterprise Java™ in a secure distributed processing system
US7418489B2 (en) * 2000-06-07 2008-08-26 Microsoft Corporation Method and apparatus for applying policies
US6925075B2 (en) 2000-07-31 2005-08-02 Telefonaktiebolaget Lm Ericsson Method and system for inter-operability between mobile IP and RSVP during route optimization
US7283971B1 (en) 2000-09-06 2007-10-16 Masterlink Corporation System and method for managing mobile workers
AU8679901A (en) 2000-09-08 2002-03-22 Reefedge Inc Providing secure network access for short-range wireless computing devices
CA2326851A1 (en) * 2000-11-24 2002-05-24 Redback Networks Systems Canada Inc. Policy change characterization method and apparatus
US6920558B2 (en) * 2001-03-20 2005-07-19 Networks Associates Technology, Inc. Method and apparatus for securely and dynamically modifying security policy configurations in a distributed system
US7096367B2 (en) * 2001-05-04 2006-08-22 Microsoft Corporation System and methods for caching in connection with authorization in a computer system

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6408336B1 (en) * 1997-03-10 2002-06-18 David S. Schneider Distributed administration of access to information
US6484261B1 (en) * 1998-02-17 2002-11-19 Cisco Technology, Inc. Graphical network security policy management
US6711687B1 (en) * 1998-11-05 2004-03-23 Fujitsu Limited Security monitoring apparatus based on access log and method thereof
US6327618B1 (en) * 1998-12-03 2001-12-04 Cisco Technology, Inc. Recognizing and processing conflicts in network management policies
US6499110B1 (en) * 1998-12-23 2002-12-24 Entrust Technologies Limited Method and apparatus for facilitating information security policy control on a per security engine user basis
US6470339B1 (en) * 1999-03-31 2002-10-22 Hewlett-Packard Company Resource access control in a software system
US6941455B2 (en) * 2000-06-09 2005-09-06 Northrop Grumman Corporation System and method for cross directory authentication in a public key infrastructure
US20020178380A1 (en) * 2001-03-21 2002-11-28 Gold Wire Technology Inc. Network configuration manager
US20030115204A1 (en) * 2001-12-14 2003-06-19 Arkivio, Inc. Structure of policy information for storage, network and data management applications
US20050004823A1 (en) * 2002-10-28 2005-01-06 Hnatio John H. Systems and methods for complexity management

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8453200B2 (en) 2004-10-01 2013-05-28 Microsoft Corporation Access authorization having embedded policies
US20060075469A1 (en) * 2004-10-01 2006-04-06 Microsoft Corporation Integrated access authorization
US20060075461A1 (en) * 2004-10-01 2006-04-06 Microsoft Corporation Access authorization having a centralized policy
US9069941B2 (en) 2004-10-01 2015-06-30 Microsoft Technology Licensing, Llc Access authorization having embedded policies
EP1643343A3 (en) * 2004-10-01 2007-01-10 Microsoft Corporation Integrated access authorization
US7506364B2 (en) 2004-10-01 2009-03-17 Microsoft Corporation Integrated access authorization
US20090150990A1 (en) * 2004-10-01 2009-06-11 Microsoft Corporation Integrated access authorization
US7685632B2 (en) 2004-10-01 2010-03-23 Microsoft Corporation Access authorization having a centralized policy
US7853993B2 (en) 2004-10-01 2010-12-14 Microsoft Corporation Integrated access authorization
US7904956B2 (en) 2004-10-01 2011-03-08 Microsoft Corporation Access authorization with anomaly detection
US20110126260A1 (en) * 2004-10-01 2011-05-26 Microsoft Corporation Access authorization having embedded policies
US8931035B2 (en) 2004-10-01 2015-01-06 Microsoft Corporation Access authorization having embedded policies
US8181219B2 (en) 2004-10-01 2012-05-15 Microsoft Corporation Access authorization having embedded policies
US20060075462A1 (en) * 2004-10-01 2006-04-06 Microsoft Corporation Access authorization having embedded policies
US20060288050A1 (en) * 2005-06-15 2006-12-21 International Business Machines Corporation Method, system, and computer program product for correlating directory changes to access control modifications
JP2011197747A (en) * 2010-03-17 2011-10-06 Ricoh Co Ltd Database access management system, management method, and program
JP2012155546A (en) * 2011-01-26 2012-08-16 Fujitsu Ltd Access control data edition support program, access control data edition support device and access control data edition support method
US20150012967A1 (en) * 2012-03-09 2015-01-08 Mcafee, Inc. System and method for flexible network access control policies in a network environment
US9210193B2 (en) * 2012-03-09 2015-12-08 Mcafee, Inc. System and method for flexible network access control policies in a network environment
US20140165133A1 (en) * 2012-12-08 2014-06-12 International Business Machines Corporation Method for Directing Audited Data Traffic to Specific Repositories
US9124619B2 (en) * 2012-12-08 2015-09-01 International Business Machines Corporation Directing audited data traffic to specific repositories
US9106682B2 (en) * 2012-12-08 2015-08-11 International Business Machines Corporation Method for directing audited data traffic to specific repositories
US9973536B2 (en) 2012-12-08 2018-05-15 International Business Machines Corporation Directing audited data traffic to specific repositories
US10110637B2 (en) 2012-12-08 2018-10-23 International Business Machines Corporation Directing audited data traffic to specific repositories
US10397279B2 (en) 2012-12-08 2019-08-27 International Business Machines Corporation Directing audited data traffic to specific repositories
US20140165189A1 (en) * 2012-12-08 2014-06-12 International Business Machines Corporation Directing Audited Data Traffic to Specific Repositories
US20150295932A1 (en) * 2014-04-09 2015-10-15 Dell Products L.P. Access control list lockout prevention system
US9509700B2 (en) * 2014-04-09 2016-11-29 Dell Products L.P. Access control list lockout prevention system
US11483313B2 (en) * 2018-06-28 2022-10-25 Intel Corporation Technologies for updating an access control list table without causing disruption
US20200007546A1 (en) * 2018-06-28 2020-01-02 Intel Corporation Technologies for updating an access control list table without causing disruption

Also Published As

Publication number Publication date
US8474006B2 (en) 2013-06-25
US20150350216A1 (en) 2015-12-03
US9503458B2 (en) 2016-11-22
US9148433B2 (en) 2015-09-29
US20100115580A1 (en) 2010-05-06
US20150046972A1 (en) 2015-02-12
US20130205368A1 (en) 2013-08-08
US8904476B2 (en) 2014-12-02

Similar Documents

Publication Publication Date Title
US9503458B2 (en) Retrospective policy safety net
US7555645B2 (en) Reactive audit protection in the database (RAPID)
US7849320B2 (en) Method and system for establishing a consistent password policy
US8935787B2 (en) Multi-layer system for privacy enforcement and monitoring of suspicious data access behavior
US6530024B1 (en) Adaptive feedback security system and method
US7373516B2 (en) Systems and methods of securing resources through passwords
US20110314549A1 (en) Method and apparatus for periodic context-aware authentication
US20070300306A1 (en) Method and system for providing granular data access control for server-client applications
CN109918924A (en) The control method and system of dynamic access permission
CN103413083B (en) Unit security protection system
US20110314558A1 (en) Method and apparatus for context-aware authentication
US20080222706A1 (en) Globally aware authentication system
JP2009512922A (en) Method and system for dynamic adjustment of computer security based on user network activity
CN114003943B (en) Safe double-control management platform for computer room trusteeship management
CN107566375B (en) Access control method and device
CN114338105B (en) Zero trust based system for creating fort
CN114389882B (en) Gateway flow control method, device, computer equipment and storage medium
CN116418568A (en) Data security access control method, system and storage medium based on dynamic trust evaluation
US20170346837A1 (en) Real-time security modification and control
Daoud et al. A model of role-risk based intrusion prevention for cloud environment
US8326654B2 (en) Providing a service to a service requester
CN115879156A (en) Dynamic desensitization method, device, electronic equipment and storage medium
Jabbour et al. Policy-based enforcement of database security configuration through autonomic capabilities
CN113645060B (en) Network card configuration method, data processing method and device
CN116089970A (en) Power distribution operation and maintenance user dynamic access control system and method based on identity management

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:ZURKO, MARY ELLEN;BLAKLEY, GEORGE R., III;REEL/FRAME:013977/0707;SIGNING DATES FROM 20030124 TO 20030128

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO PAY ISSUE FEE