Dynamic Network Identity and Policy management

Abstract

Network policies are managed based at least in-part on user/entity identity information with: a state monitor operable to monitor for state change events in user/entity state and related, network state or in traffic pattern and traffic flow state; an identity manager operable to obtain and validate user credentials; and a policy manager operable in response to a state change event detected by the state monitor (either the identity manager or a defense center) to select a policy based in-part on the user identity obtained by the identity manager or security context obtained by the defense center, and to prompt application of the selected policy. The policies are indicative of user/device authorization entitlements and restrictions to utilization of certain network resources, network services or applications. Dynamic policy selection and targeted responses can be used, for example, against a user who gains network access with stolen user ID and password, and subsequently attempts malicious behavior. In particular, the malicious behavior is detected and identified, and the malicious user can then be restricted from abusing network resources without adversely affecting other users, groups, network devices, and other network services.

Description

BRIEF DESCRIPTION OF THE FIGURES

FIG. 1 illustrates logical network architecture for providing end point compliance, dynamic network identity, network threat management and network policy management.

FIG. 2 illustrates the IdM service in greater detail.

FIG. 3 is an optional call flow diagram illustrating an interaction of the IdM service and an application or network service.

Claims

1. Apparatus operable to manage network policies based at least in-part on identity comprising: an authentication session manager operable to monitor for state change events in user state and related network state, and obtain and validate user credentials; anda policy manager operable in response to a state change event detected by the authentication session manager to select a policy based in-part on the user identity and related network information and security context obtained by the identity manager, and to prompt application of the selected policy, the policy being indicative of authorization entitlements and restrictions to utilization of certain network resources,whereby the policy is dynamically selected and enforced.

2. The apparatus of claim 1 wherein the policy manager is further operative to select the corresponding policy and to distribute it to at least one policy enforcement point in the network.

3. The apparatus of claim 1 wherein the defense center is operable in response to detection of a state change event to notify the policy manager, and in response the policy manager (i.e., policy decision function) queries the identity manager for user identity information and security context associated with the event.

4. The apparatus of claim 1 wherein the state change event is indicative of a threat.

5. The apparatus of claim 4 wherein the selected policy is a threat response.

6. The apparatus of claim 1 wherein the state change event is indicative of a change in network resource availability.

7. The apparatus of claim 1 wherein the state change event is indicative of a change in network resource need.

8. A method for managing network policies based at least in-part on identity context, comprising the steps of: monitoring for state change events in user state and related network state with an identity manager's authentication session manager;obtaining and validating user credentials with the authentication session manager;in response to a state change event detected by the identity manager, notifying, a policy manager, and prompting application of the corresponding policy, the policy being indicative of authorization entitlement and restrictions to utilization of certain network resources or network services,whereby the policy is dynamically selected and targeted for the network resource/network service/application.

9. The method of claim 8 including the further step of distributing the selected policy to at least one policy enforcement point in the network.

10. The method of claim 9 wherein the state change event is indicative of a threat.

11. The method of claim 9 wherein the selected policy is a threat response.

12. The method of claim 8 wherein the state change event is indicative of a change in network resource availability.

13. The method of claim 8 wherein the state change event is indicative of a change in network resource need.

14. A method for managing network policies based at least in-part on state change context, comprising the steps of: monitoring for state change events traffic patterns and flows and related network state with either a defense center and threat protection systems/sensors or an environment state change monitor;notifying with state context to a policy manager, and prompting application of the corresponding policy, the policy being indicative of authorization entitlement and restrictions to utilization of certain network resources or network services,whereby the policy is dynamically selected and targeted for the network resource/network service/application.