WO2012173599A1 - Système et procédé de contrôle d'accès - Google Patents

Système et procédé de contrôle d'accès Download PDF

Info

Publication number
WO2012173599A1
WO2012173599A1 PCT/US2011/040304 US2011040304W WO2012173599A1 WO 2012173599 A1 WO2012173599 A1 WO 2012173599A1 US 2011040304 W US2011040304 W US 2011040304W WO 2012173599 A1 WO2012173599 A1 WO 2012173599A1
Authority
WO
WIPO (PCT)
Prior art keywords
computer
decision support
access
support system
current
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2011/040304
Other languages
English (en)
Inventor
Siani Pearson
Marco Casassa Mont
Peter J. REID
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hewlett Packard Development Co LP
Original Assignee
Hewlett Packard Development Co LP
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Development Co LP filed Critical Hewlett Packard Development Co LP
Priority to PCT/US2011/040304 priority Critical patent/WO2012173599A1/fr
Publication of WO2012173599A1 publication Critical patent/WO2012173599A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself

Definitions

  • Access control is a system which enables an authority (e.g., computer) to control access to areas and resources in a given physical facility or computer- based information system.
  • An access control system within the field of physical security, is generally observed as the second layer in the security of a physical structure.
  • FIG. 1 illustrates an example of a decision support access control system.
  • FIG. 2 illustrates an example of a system for decision support access control and associated databases.
  • FIG. 3 illustrates an example of a decision support system.
  • FIG. 4 illustrates an example of an access control system.
  • FIG. 5 illustrates a flowchart of an example method for decision support access control.
  • FIG. 6 illustrates an example of a computer system that can be employed to implement the systems and methods illustrated in FIGS. 1-5.
  • FIG. 1 illustrates an example of a decision support access control system 100.
  • the system 100 includes computer readable instructions that provide functionality for enabling or disabling access to a computer system 110.
  • this includes a computer readable medium 120 comprising computer readable instructions.
  • Such instructions can include an access control system 130 to enable or disable admittance to a computer system 110 based on an access request 140 (or requests) from a requestor.
  • a decision support system 150 is provided to augment control decisions determined by the access control system 130, where the decision support system analyzes a current contextual input 160 (or inputs) associated with the requestor to enable or disable the admittance to the computer system 110.
  • the access control system 130 may analyze items such as passwords that are submitted via the access request 140 and submitted by the requestor or user of the system.
  • the decision support system 150 may further analyze the contextual input 160 to determine whether or not access can be granted to the computer 110.
  • contextual input 160 refers to a user's current situation or circumstances as they relate at the time of the request.
  • a question relating to a requestor's mother's maiden name does not relate to current context or circumstance but rather a past event, where a question relating to the requestor's current country, citizenship, age, ID numbers such as passport or license numbers, or other current information, for example, help to establish relevant context for the decision support system 150 that can be employed to enable or disable entry to the computer at 1 10.
  • the access control system 130 can employ a policy to enable or disable admittance to the computer system 110.
  • the decision support system 150 can employ a decision support database (See FIG. 2) that stores rules and questionnaires, for example, to analyze the contextual input 160.
  • the decision support database can include legal or legislative data, business constraint data, or security constraint data, for example.
  • Other components of the access control system 130 include a policy enforcement point to generate the contextual input 160 for the decision support system 150. This can also include a policy decision point to facilitate redirection of the decision support system 150 in case of failure to the access request 140.
  • other components may include an audit log to facilitate context determinations for the decision support system 150 which can also access a personal database to store confidential information of a user, wherein the confidential information is further processed to determine context for the decision support system.
  • the decision support system 150 can generate questions or requests for information to further analyze a user's context.
  • the decision support system 150 can also analyze a user's access purposes, contractual terms, or contractual conditions in order to enable or disable admittance to the computer system 110.
  • FIG. 2 illustrates an example of a system 200 for decision support access control and associated databases.
  • the system 200 includes a processing unit 210 (or processor) that executes instructions from a memory 214 that includes firmware or other storage media for storing computer executable instructions associated with a computer.
  • the processing unit 210 and memory 214 can be provided as part of a hybrid tool that includes a decision support system 220 that is associated with components of an access control system as described in more detail below.
  • the decision support system (DSS) 220 can be triggered to gather additional context that is utilized before an automated decision can be performed.
  • context is related to a user or requestor's current condition or circumstance or situation, where automated questions can be queried by the decision support system 220 to determine such current conditions.
  • the DSS 220 can be used in order to allow (e.g., strongly)
  • PEP Policy Enforcement Point
  • PDP Policy Decision Point
  • the DSS 220 can create awareness of what needs to be satisfied to receive access and can require the user to make statements (e.g., regarding current context), in addition to collecting credentials or other information from various sources.
  • the DSS 220 can be driven by a set of rules 250 with exception management and strong tracking of authenticated users' statements by means of auditing and checking at the audit log 244.
  • a context 260 can be output by the PDP 234 to the DSS 220 for further interactions, where exception management can involve discretionary statements made by users or by administrators. The circumstances where these can occur can be covered by policies 270.
  • a personal data and confidential information store 280 that can be processed by the PEP 230 to further determine current contextual conditions of the user or requestor.
  • the system 200 includes the memory 214 for storing computer executable instructions associated with a computer. This includes the processing unit 210 for accessing the memory 214 and executing the computer executable instructions.
  • the computer executable instructions can include the decision support system 220 to process a current contextual input to determine access to a computer system.
  • the policy enforcement point 230 is provided to process access requests 226 to the computer system and to issue grants or to deny access to the computer system based on the current contextual input.
  • the policy decision point 234 is provided to redirect control to the decision support system in the event of a denial of access to the computer system.
  • the decision support database 250 stores rules and questionnaires to analyze the current contextual input, wherein the decision support database includes legal or legislative data, business constraint data, or security constraint data.
  • the audit log 244 Is employed to facilitate context determinations for the decision support system 220.
  • the personal database 280 is provided to store confidential information of a user, wherein the confidential information is further processed to determine current context for the decision support system 220, wherein the decision support system generates questions or requests for information to further analyze a user's current context.
  • FIGS. 3 and 4 are now provided to illustrate example details of the decision support system 150 and access control system 130 depicted in FIG. 1.
  • FIG. 3 illustrates an example of a decision support system 300 and is related to the decision support system 150 depicted in FIG. 1.
  • contextual input 310 is processed by a decision support system 320 (DSS).
  • DSS decision support system 320
  • Such input 310 can include answers to questions that are generated by the decision support system 320 to determine a requestor's current context or condition.
  • the decision support system 320 After processing the contextual input 310, the decision support system 320 generates an automated decision 330 that is applied to augment access control decisions of a decision support system that is described in more detail below with respect to FIG. 4.
  • the decision support system (DSS) 320 is a computer- based information system that supports business or organizational decision-making activities.
  • the DSS 320 serves the management, operations, and planning levels of an organization and helps to make decisions, which may be rapidly changing and not easily specified in advance via policy or hard-coded rules.
  • the DSS 320 can be associated with an access control system (described in FIG. 4) in order to grant or deny access to a computer system based on a user's present context.
  • the DSS 320 also includes knowledge-based systems.
  • the DSS 320 can be an interactive software-based system to help decision makers compile useful information from a combination of raw data, documents, personal knowledge, or business models to identify and solve problems and make decisions regarding access and current context.
  • the acquired knowledge of the DSS 320 can be employed to augment or assist access control decisions at 330.
  • FIG. 4 illustrates an example of an access control system 400 such as related to the access control system depicted at 130 of FIG. 1.
  • the access control system 400 is illustrated with two main functional blocks.
  • a policy enforcement point 410 (PEP) and a policy decision point 420 (PDP) may be provided as previously described with respect to FIG. 2.
  • PEP policy enforcement point
  • PDP policy decision point
  • Access control systems 400 provide the essential services of identification and authentication (l&A), authorization, and accountability where: identification and authentication determine who can log on to a system, and the association of users with the software subjects that they are able to control as a result of logging in; authorization determines what a subject can do; accountability identifies what a subject (or all subjects associated with a user) did.
  • identification and authentication determine who can log on to a system, and the association of users with the software subjects that they are able to control as a result of logging in; authorization determines what a subject can do; accountability identifies what a subject (or all subjects associated with a user) did.
  • other functions can also be served by the access control system 400 (e.g., coordinating with decision support system to perform joint security or access decision based on determined current contextual conditions).
  • FIG. 5 illustrates an example method 500 for decision support access control, It is noted that such method 500 can be automatically executed by one or more computer systems.
  • the method 500 includes processing a request to access a computer system. As described previously, such initial processing can be provided by an access control system where initial authentication or authorization may occur (e.g., password exchange).
  • the method includes analyzing a policy to access the computer system in conjunction with the request. Such policy analysis could occur at a policy decision point, where further data may be employed to gather other data from the requestor such as current contextual data, for example.
  • the method includes requesting a current user context associated with the policy before granting the access to the computer system. As described previously, such current context can be determined by a decision support system for example, where queries are sent to the requestor and analyzed in substantially real-time to enable or deny access to the requestor.
  • FIG. 6 is a schematic block diagram illustrating an example system 600 of hardware components capable of implementing examples disclosed in FIGS. 1-5.
  • the system 600 can include various systems and subsystems.
  • the system 600 can be a personal computer, a laptop computer, a workstation, a computer system, an appliance, an application-specific integrated circuit (ASIC), a server, a server blade center, a server farm, a mobile device, such as a smart phone, a personal digital assistant, and so forth.
  • ASIC application-specific integrated circuit
  • the system 600 can include a system bus 602, a processing unit 604, a system memory 606, memory devices 608 and 610, a communication interface 612 (e.g., a network interface), a communication link 614, a display 616 (e.g., a video screen), and an input device 618 (e.g., a keyboard and or a mouse).
  • the system bus 602 can be in communication with the processing unit 604 and the system memory 606.
  • the additional memory devices 608 and 610 such as a hard disk drive, server, stand alone database, or other non-volatile memory, can also be in communication with the system bus 602.
  • the system bus 602 operably
  • system bus 602 also operably interconnects an additional port (not shown), such as a universal serial bus (USB) port.
  • USB universal serial bus
  • the processing unit 604 can be a computing device and can include an application-specific integrated circuit (ASIC).
  • the processing unit 604 executes a set of instructions to implement the operations of examples disclosed herein.
  • the processing unit can include a processor core.
  • the additional memory devices 606, 608 and 610 can store data, programs, instructions, database queries in text or compiled form, and any other information that can be needed to operate a computer.
  • the memories 606, 608 and 610 can be implemented as computer-readable media (integrated or removable) such as a memory card, disk drive, compact disk (CD), or server accessible over a network.
  • the memories 606, 608 and 610 can comprise text, images, video, and or audio.
  • the memory devices 608 and 610 can serve as databases or data storage. Additionally or alternatively, the system 600 can access an external system (e.g., a web service) through the communication interface 612, which can communicate with the system bus 602 and the communication link 614.
  • an external system e.g., a web service
  • the system 600 can be used to implement, for example, a client computer, a printer server, and at least some components of printers the can be employed in a system that manages a print job.
  • Computer executable logic for implementing the system 600 can reside in the system memory 606, and or in the memory devices 608 and/or 610 in accordance with certain examples.
  • the processing unit 604 executes one or more computer executable instructions originating from the system memory 606 and the memory devices 608 and 610.
  • the term "computer readable medium" as used herein refers to a medium that participates in providing instructions to the processing unit 604 for execution.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

Selon un exemple, l'invention concerne un système de contrôle d'accès pour permettre ou interdire un accès à un système informatique sur la base d'une requête d'accès. Un système de support de décision est prévu pour augmenter des décisions de contrôle déterminées par le système de contrôle d'accès, le système de support de décision analysant une entrée contextuelle pour permettre ou interdire l'accès au système informatique.
PCT/US2011/040304 2011-06-14 2011-06-14 Système et procédé de contrôle d'accès Ceased WO2012173599A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2011/040304 WO2012173599A1 (fr) 2011-06-14 2011-06-14 Système et procédé de contrôle d'accès

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2011/040304 WO2012173599A1 (fr) 2011-06-14 2011-06-14 Système et procédé de contrôle d'accès

Publications (1)

Publication Number Publication Date
WO2012173599A1 true WO2012173599A1 (fr) 2012-12-20

Family

ID=47357363

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2011/040304 Ceased WO2012173599A1 (fr) 2011-06-14 2011-06-14 Système et procédé de contrôle d'accès

Country Status (1)

Country Link
WO (1) WO2012173599A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070276944A1 (en) * 2006-05-09 2007-11-29 Ticketmaster Apparatus for access control and processing
US20080107274A1 (en) * 2006-06-21 2008-05-08 Rf Code, Inc. Location-based security, privacy, assess control and monitoring system
US20100287584A1 (en) * 2009-05-07 2010-11-11 Microsoft Corporation Parental control for media playback
US20110055905A1 (en) * 2009-08-31 2011-03-03 Kyocera Mita Corporation Authentication apparatus and computer-readable medium storing authentication program code

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070276944A1 (en) * 2006-05-09 2007-11-29 Ticketmaster Apparatus for access control and processing
US20080107274A1 (en) * 2006-06-21 2008-05-08 Rf Code, Inc. Location-based security, privacy, assess control and monitoring system
US20100287584A1 (en) * 2009-05-07 2010-11-11 Microsoft Corporation Parental control for media playback
US20110055905A1 (en) * 2009-08-31 2011-03-03 Kyocera Mita Corporation Authentication apparatus and computer-readable medium storing authentication program code

Similar Documents

Publication Publication Date Title
CN110197058B (zh) 统一内控安全管理方法、系统、介质及电子设备
US8336091B2 (en) Multi-level authentication
JP6932175B2 (ja) 個人番号管理装置、個人番号管理方法、および個人番号管理プログラム
US20120311696A1 (en) Override for Policy Enforcement System
US11238408B2 (en) Interactive electronic employee feedback systems and methods
US8516539B2 (en) System and method for inferring access policies from access event records
US8869234B2 (en) System and method for policy based privileged user access management
US8713688B2 (en) Automated security analysis for federated relationship
WO2019052496A1 (fr) Procédé d'authentification de compte pour mémoire en nuage, et serveur
US20230370473A1 (en) Policy scope management
US20090313684A1 (en) Using windows authentication in a workgroup to manage application users
US20160057168A1 (en) System and methods for efficient network security adjustment
WO2020056015A9 (fr) Passerelle de déploiement et de communication pour déploiement, exécution sécurisée et communications sécurisées
US20100218238A1 (en) Method and system for access control by using an advanced command interface server
JP2012138078A (ja) クラウド・コンピューティング環境に保管されたデータに関するきめ細かい任意アクセス制御の有効化のための方法、システム、およびコンピュータ・プログラム
US12277457B1 (en) Client application for dynamic contextual routing to artificial intelligence models
CN104871509A (zh) 用于管理访问权限的方法和装置
US11086643B1 (en) System and method for providing request driven, trigger-based, machine learning enriched contextual access and mutation on a data graph of connected nodes
CN120342731A (zh) 多因素认证的可信数据空间访问控制方法、平台及介质
US12547681B2 (en) Deriving input restrictions for artificial intelligence agents
US20250378399A1 (en) Rules Engine for Dynamic Contextual Routing to Artificial Intelligence Models
US20080066169A1 (en) Fact Qualifiers in Security Scenarios
WO2025111530A1 (fr) Systèmes, procédés et support lisible par ordinateur de développement de compétences de prise de décision
CN117540361A (zh) 单点登录认证方法、装置、设备、介质和程序产品
WO2012173599A1 (fr) Système et procédé de contrôle d'accès

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11867848

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11867848

Country of ref document: EP

Kind code of ref document: A1