The invention is related to the field of information security, and in particular to information security applications having configurable operation.
An information security application may employ a configuration structure to store configuration information that is used during operation to tailor operation in a manner that depends on the current operating environment. For example, a user authentication application may employ different authentication criteria depending on whether the user being authenticated is accessing a protected system locally via a protected network or remotely via a public network. The configuration structure stores configuration information specifying this variable operation based on the type of access for which authentication is being requested.
Known configuration structures employ a tree-like hierarchical organization of configuration information in which different variables define the levels of the tree. The organization reflects a predetermined dependence among the variables in terms of their relative weight or importance in determining what action may be taken. In use, an application obtains relevant information as far down in the tree (i.e., as close to a leaf) as possible, so that the most specific configuration information is used for each situation.
The use of known configuration structures with information security applications can present limitations and difficulties. In some cases the exact interdependence among different variables of operation may not be known or even constant, so that the design of a hierarchical structure is difficult and may not adequately support the operation of an application over a long period. Also, a hierarchical structure does not scale well to a large number of variables or dimensions, because the problem of identifying interrelationships becomes greatly magnified. Modern information security applications, such as risk-based authentication for example, may employ a very large number of different types of risk predictors when assessing the risks of events occurring in a protected system. It may be intractable to define one organization of configuration information that will adequately support the needs of the application to provide high quality risk assessment.
Methods and apparatus are disclosed in which an information security application uses a configuration structure storing independently specified configuration items along with a separate resolver that reflects interdependencies in a resolution strategy used to select among multiple configuration items that may be applicable in a given situation. The disclosed approach can simplify the specification of configuration information and enhance scalability to a large number of dimensions. It can also provide flexibility by enabling the resolution strategy to be changed without requiring a complete restructuring and rebuilding of the configuration structure.
In particular, a method is disclosed of operating a server computer executing an information security application to provide information security services to a client computer. In response to a request from the client computer for a security operation, a context vector is generated and a lookup is performed in a configuration structure to identify a configurable action to be taken as part of the operation. The context vector includes a set of current values of respective environment variables. The configuration structure stores configuration objects each having an environment field and an action field, the environment field storing configured values of the environment variables to specify a context for use of an action value stored in the action field, and the configured values including predefined specific values and a wildcard value indicating that a context for use of the action value of a given configuration object is independent of a given environment variable. The lookup results in identification of a set of the configuration objects whose respective configured values of the environment variables either are wildcards or match respective current values of the environment variables in the context vector.
The set of action values of the identified set of configuration objects is then resolved by a separate resolver to create a resolved action value specifying the configurable action to be taken. Then the configurable action specified by the resolved action value is performed and a response is returned to the client computer based on a result of the configurable action.
The foregoing and other objects, features and advantages will be apparent from the following description of particular embodiments of the invention, as illustrated in the accompanying drawings in which like reference characters refer to the same parts throughout the different views.
The security application 16 can be viewed as having two components, a core component or “core” 20 and a configuration structure (CONFIG STRUCT) 22. The core 20 includes most of the functionality (via instructions and data) of the security application 16, except for aspects of operation that are configurable. The configuration structure 22 is used to store configurable parameters or properties that are used by the core 20 in operation. The configurable parameters may be loaded into the configuration structure by any of a variety of means as generally known in the art. For example, the security application 16 may include an administrative interface or “console” that enables a human user to provide the parameters, either directly via a graphical user interface or indirectly via a configuration file that is processed by the console. The security application 16 may itself initialize certain configurable parameters to default values. Other techniques may be used.
In operation, the security services may be provided using a request-response type of application-level protocol in which the agent 18 generates requests 24 for security-related operations. The security application 16 receives the requests 24, performs the requested security-related operations, and returns responses 26 describing the outcomes of the operations and perhaps including data locally usable by the client 12 in some manner. Referring again to the adaptive authentication example in particular, a request 24 may convey information about a current attempt by a user to access the online service provided by the client 12. The security application 16 uses the information from the request, as well as other data that may be locally stored or available from another location, to calculate a level of risk associated with the attempted access, and returns an authentication result in the response 26. The authentication result could be a hard indication, such as an indication that the access is permitted or denied, or it may be a softer indication or perhaps just data that is processed in some manner by the client 12 to make a local decision based on the information.
When using the information from the request 24 and potentially other data to perform a requested operation, the security application 16 uses the configuration structure 22 to obtain any configured parameters or properties whose values depend in some manner on the current environment, typically including information from the request 24 itself. Referring again to the adaptive authentication example, risk may be calculated differently depending on whether the user being authenticated is logging in locally (e.g., via a company-controlled local-area network) versus remotely (via a public network). Thus, the type of access is an environment variable whose value is used to look up information in the configuration structure 22 specifying how the risk calculation is performed. The security application 16 then uses the retrieved information to formulate a specific risk calculation, and proceeds from there to complete the operation and return an appropriate response. More detail on this operation is provided below.
In the simplified example above there are a small number (2) of dimensions and a clear order of importance between dimensions, i.e., it will always be the case that the Tenant value has greater weight or importance than does the Organization value. Thus the hierarchical organization lends itself in particular to collections of configuration information having these properties—a small number of dimensions, and clear order among them. The hierarchical organization becomes difficult if not intractable as the number of dimensions grows large. It may not be clear whether one dimension is always more important than another. Also, relative importance might change over time, which would require completely rebuilding the collection of configuration information to reflect a new ordering among the dimensions.
Also shown is a resolver 48, which may have a separate management or administrative (ADMIN) interface. As described more below, the resolver 48 is responsible for generating a resolved action value 50 by applying a resolution strategy to a set of action values 52 retrieved from the configuration structure 22. The term “resolution” reflects that in some cases there may be conflicts among the set of retrieved action values 52, and in such cases the conflicts must be resolved in order to arrive at a particular action to be taken. More generally, the resolver 48 is used to synthesize a single resolved action value 50 from a collection of generally different action values in the set 52.
It will be appreciated that
More particularly with reference to both
The contents of the context vector 46 are compared against the contents of the environment field 42 of the configuration objects 40 to identify those that match. This is indicated by the set of downward-directed arrows at the left, leading away from the context vector 46. For each configuration object 40 whose environment field contents match the context vector 46, the contents of the action field 44 are included in the set of action values 52. This is indicated by the set of downward-directed arrows at the right, leading into the resolver 48. In the simple example of two distinct environment variables, one variable from the context vector 46 may match the corresponding value in the environment field 42 of one configuration object, while another variable from the context vector 46 matches the corresponding value in the environment field 42 of another configuration object. The action values from the action field 44 of these two matching configuration objects together form the set of action values 52.
Once the set of action values 52 are identified, they are processed by the resolver 48 as mentioned above to generate the resolved action value 50, which in turn identifies the particular action(s) to be taken by the security application 16 in the specific current operating environment as reflected in the context vector 46.
As outlined above, an important feature of the context structure 22 is the relative independence among the configuration objects 40. In known approaches including the hierarchical approach described above, configuration information may be structured in a way that reflects certain dependencies, implicit or explicit, among different pieces of configuration information. Such an organization can be very constraining and inflexible, and it also can present performance issues such as the need to traverse a tree-like structure to retrieve information. The exact dependencies may not even be known at a time of designing the configuration structure, or they may change over the operational life of an application (e.g., security application 16) using the configuration structure. Also, a hierarchical or similar organization may not scale well for use in applications having a large number of relevant environment variables, which may also be referred to as “dimensions”.
In contrast, the configuration objects 40 of the context structure 22 may be specified much more independently, which can greatly simplify initial configuration as well as re-configuration even for a large number of dimensions. It also can provide performance benefits by separating the retrieval of raw, high-dimensionality configuration information from the task of merging or resolving the configuration information into a particular value used for a particular environmental condition.
Two particular uses of the disclosed technique are briefly described.
The first is referred to as multi-dimensional configuration in an adaptive-authentication (AA) risk model used in providing AA services. A risk engine employing an AA risk model needs to perform different calculations in different contexts. An AA context is a multi-dimensional vector (context vector) of specific current values of environment variables. In one simplified example the environment variables (dimensions) are “Tenant”, “Channel” and “Event Type”, where values for Channel may include “WEB”, “MOBILE”, and “PHONE”, and values for Event Type may include “LOGIN”, “PAYMENT”, and “CHANGE_EMAIL”. In this case the order of importance of the dimensions may be unclear. For example, it may unclear whether “Channel” is more important than “Event Type” or vice-versa.
A second use is referred to as multi-dimensional configuration in policy management (PM). In this case an application applies different policies to respond differently in different operating contexts, which again are represented as multi-dimensional vectors of specific current values of environment variables. When policies are added to an application they may be arbitrarily assigned an order of importance. For example consider the following policies in the context of an adaptive authentication application:
1. If the account is a VIP account ALLOW access (don't hamper the user experience for VIP account)
2. If the location of the user is a country from which a lot of fraud originates then DENY access (suspected fraud attempt)
Each of the above policies is specified for different variables—account type for the first, and country of access for the second. If only one policy is implicated for a given event/request, it can be applied. But if multiple policies are implicated, there may be a question about what should be done. This is especially true if the actions of the policies are in conflict. This situation can arise in the above example when a VIP is accessing his/her account from a suspicious country. In this case, the policies have conflicting ALLOW/DENY actions. Using the hierarchical organization of
1. “if VIP account and suspicious country and event type LOGIN then ALLOW”
2. “if VIP account and suspicious country and event type STOCK TRADE then DENY”
3. “if VIP account and suspicious country and event type PAYMENT then CHALLENGE”
and then assigning these rules the appropriate priority. Having these very specific rules make the rules list much harder to manage. Also, if the number of policies is large, the problem of resolving conflicts or other differences between actions (in this case policy-based) is much more difficult.
Such problems can be addressed by creating the configuration scheme in a multi-dimensional way as illustrated in
Below is an example configuration structure 22 that might be used in the above example of AA using a risk model having the three specific environment variables of Tenant, Channel and EventType. In particular, the configurable property in this case is a list of risk predictors to be calculated and used when evaluating risk for a particular request. Each row corresponds to a configuration object 40 of
The first row specifies that if the channel of access is the Web (versus local), then the set of risk predictors {User-country age, Web device age, and number of ISPs from which this user has accessed the system in the last 10 days} are to be calculated and used in the overall risk calculation. The second row specifies that if the event type is Login, then the risk predictors {User-country age, Days since last login, and number of failed logins in last 5 minutes} are calculated and used in the overall risk calculation.
In the above example, if the security application 16 is invoked with the values {Tenant=ABC, Channel=WEB, EventType=LOGIN} in the context vector 46, matches occur for both rows. However, the actions specified in each row are different, so resolution is necessary.
The conflict resolver 48 resolves the differences. It may operate in any of a variety of ways according to the application. Also, its operation may be fixed or it may vary over time. For configuration values that are represented in lists or sets, resolution strategies could be one of the following for example:
Other potential strategies for resolution of configuration values represented in lists includes Get Maximal value and Get Minimal value. All of these are non-exclusive examples; other strategies may be used.
While various embodiments of the invention have been particularly shown and described, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Number | Name | Date | Kind |
---|---|---|---|
7058821 | Parekh et al. | Jun 2006 | B1 |
8117659 | Hartrell et al. | Feb 2012 | B2 |
20060021055 | Judge et al. | Jan 2006 | A1 |
20060053490 | Herz et al. | Mar 2006 | A1 |