Patent Application
20060212934
The invention relates generally to computer systems security, and more specifically to a system and method for managing user identity, and other user privileges in computerized systems.
Computer systems security presents a major problem that consumes vast amount of resources. A prominent problem in the field is managing and verifying user identities, and once verified, managing what is commonly known as the user ‘profile’, i.e. a collection of access rights to access and/or modify certain data, preferences, and the like. Such access rights may be provided for many levels, such as a system, a computer within the system, a directory, a file, or even individual records in a database, or parts thereof. Most ominous is the connection between the internal communications facilities of an organization, commonly known as an “Intranet” and an external communication facility, such as the Internet. (It should however be noted that the term Internet as used in these specifications relates to any wide area communication network or even a local area communication network, that is not wholly under the control of the organization).
While this solution works, it has certain drawbacks. Major drawbacks are cost and knowledge level for required for operations. Managing access requires maintaining the Access Controller and associated databases, as well as the hardware. Time to manage the hardware and software is expensive, and updating the system can easily present errors that disrupt service. Additionally, VPN connections are notoriously troublesome and hard to maintain, a fact that often requires costly time from well skilled personnel.
The known solutions are also not conducive to inter-organization cooperation. Oftentimes cooperating organizations allow a certain level of access for users from cooperating organizations. Thus for example a goods distributor may allow certain clients access to the status of their orders, while preventing access to certain other portions of the organization. The user oftentimes have to authenticate himself to his own organization and only then gain access to the host organization, where he needs to authenticate himself to the host organization, a tedious process at best. If any detail changes in one organization, maintaining such access requires manual updating of the databases at the host organization, by the host information technology personnel. It will be appreciated that in these specifications, the term ‘organization’ is taken to mean a resource, or a group of resources, separated from the Internet by an IPG.
Cooperation between groups of computers is widely used, such as the organization wide systems provided by Windows NT Domains (trademark of Microsoft, Redmond Wash., USA). Such arrangements provide centralized access control to the domain, and specific access controls to computers and files. However, those arrangements lack the capacity to control access to the organization as a whole (i.e. control gateways) or control and manage multiple tunnels (i.e. port/address pairs).
Therefore there is a clear need for a solution that will simplify and reduce the costs of verifying identity and managing access rights in a single organization, and/or across organizations, as well as provide encryption and audit requirements if needed.
These specifications make extensive use of the term applet, and while the term originally stems from the Java programming language, and while a Java applet is specifically directed to running within a web browser, the term as used in these specifications relates to the more common meaning, i.e. a small program that is downloadable to a computer, and is used to perform specific tasks connected with data communications. Therefore an applet may be written for example in a language like ActiveX or XML, and may or may not operate only within a web browser.
There is therefore provided, in accordance with the preferred embodiment of the present invention, a method for access management to a networked resource operable in conjunction with a requester coupled to the internet. The resource is coupled to the internet via a gateway having an external side and an internal side. The external side of the gateway is coupled to the internet and the internal side coupled to the networked resource, thus the gateway selectively controlling access between the internet and the internal side, and by extension to the networked resource. An access controller is coupled to the gateway, and a requester such as a PC or an automated computerized process, is coupled to the internet. The method comprising the steps of:
An important aspect of the invention is that the access controller is coupled to the gateway via the external side, rather than being connected to the internal, protected side.
The preferred method further comprises the steps of:
The access management applet is preferably customized to reflect access rights of the user, and more preferably is generated by the access controller as a web page for execution by the requester.
Preferably, the invention also comprises the step of maintaining audit information on actions taken by the requester. Such audit data may be received from the or from the access management applet.
In the most preferable embodiment, the access controller maintains a count of active sessions between requester and at least one networked resource. This allows the preferred embodiment to control access to a plurality of resources, in a plurality of organizations, all while utilizing a single authentication activity by the user. This access to multiple organizations is achieved by performing the following steps:
The optional use of a software certificate in conjunction with the access management applet, and wherein the step of requesting access to the second gateway comprises delivering the software certificate thereto provide additional security and ease of operation. Further optionally, the preferred embodiment further performs the step of providing information from the access controller to at least a first gateway, when a session is active between the requester and a second gateway, for preventing timeout of a session between the requester and the first gateway.
In another aspect of the invention, there is provided a method for access management to a networked resource, operating in conjunction with a gateway, the gateway having an external side and an internal side, the external side coupled to a public network and the internal side coupled to the networked resource, the gateway selectively controlling access between the external side and the internal side, the method comprises the steps of:
The preferred embodiment of this aspect of the invention further comprises the steps of:
Optionally the access management applet comprises several code sections, each downloaded to requester when needed. Preferably, the communication between the requester and the gateway or the networked resource is facilitated by a software certificate generated by the access controller. Most preferably, the communication between the requester and the gateway or the networked resource is performed via a software tunnel.
In yet another aspect of the invention, there is provided a method for access management to a networked resource operating in conjunction with a requester coupled to the internet, a gateway having an external side and an internal side, the external side coupled to the internet and the internal side coupled to the networked resource, the gateway selectively controlling access between the internet and the internal side, and an access controller and a requester coupled to the internet, the method comprising the steps of, in the access controller:
Preferably this aspect of the invention further comprises, in the access controller, the steps of:
j) ascertaining access rights for a second networked resource by the user;
More preferably, this aspect of the invention further comprises the step of providing information from the access controller to at least a first gateway, when a session is active between the requester and a second gateway, for preventing timeout of a session between the requester and the first gateway.
The preferred embodiment of the gateway is further equipped for performing the step of receiving and logging audit information concerning activities preformed by the user.
In yet another aspect of the invention there is provide a method for access management to a networked resource, operating in conjunction with a gateway, the gateway having an external side and an internal side, the external side coupled to a public network and the internal side coupled to the networked resource, the gateway selectively controlling access between the external side and the internal side, the method comprises the steps of, at the gateway:
Several aspects of the invention will be better understood in view of the accompanying drawings in which:
While the present example relates to a user utilizing a personal computer (PC) the claims use the term ‘requester’ to denote inter alia the PC and the user. However a requester also relates to any entity requesting access to a networked resource, such as an automated process activated on a resource coupled to the public network which is in turn coupled to the public, or external side of the IPG.
Some preferred embodiments will now be explained, utilizing the examples provided by the drawings.
When user U1 attempts to access a computer within the organization Org1, an initial connection, also known as a ‘session request’ is established 305 with IPG 20. Such communication may be directed to a specific port at the IPG, which makes up a portion of the required URL (Universal Resource Locator). Thus a single IPG may serve a plurality of organizations. IPG 20 communicates 310 with an Access Controller 50 which is external to the intranet 30, preferably via an encrypted communications channel SL, that may or may not utilize the Internet 10 as a communication medium (thus the use of internet link 25 to the Access Controller is optional, but desirable for other communications, as will be seen later). The communication between the IPG 20 and Access Controller 50 is able to utilize an encrypted high security link such as SSL (Secured Socket Layer, utilizing well known port 443) for example, and preferably uses fixed IP addresses or even checks specific MAC (Media Access Code) on the perspective network interfaces.
Utilizing the URL as a guide, the Access Controller 50 provides the IPG 20 with information that defines a login screen specific to the site 315. A site interface manager module 80 in the Access Controller selects appropriate login screen. The login may be preformed as a web page presented and executed by the IPG, however the preferred embodiment calls for authentication logic, such as an authentication applet 302, to be downloaded to the user computer U1, more preferably via a secure link such as SSL via the IPG. The preferred embodiment also calls for executable logic 301 in the forms of rules, to be provided by the Access Controller 50 to the IPG, and the IPG already has software or other logic to handle the implementation of such rules. Alternatively, the executable logic 301 comprises complete code that is being transferred to the IPG. It will be noted that the logic 301 relates to the operation of the IPG whether it is implement a set of operational data like the rules described above, or as a complete downloaded software, or as any other combination that allows the IPG to communicate and cooperate with the applets downloaded to the user computer U1.
After the authentication applet 302 is downloaded and activated on the user computer, a communication link, preferably encrypted, is established between the user computer and the IPG 20. As the IPG and the user computer U1 have now established certain level of coordination between the authentication applet and the IPG logic, more complex authentication schemes, such as two part login or other ‘handshake’ arrangements are easily handled to provide enhanced security as desired.
After the user logs in, the user identity is authenticated using the ID repository in the Access Controller 50. The Access Controller then provides an access management applet to the user computer U1. It should be noted that while the access management applet 305 and the authentication applet 302 may be integrated, the preferred embodiment calls for the access management applet to be downloaded after authentication is completed. Doing so allows the site interface manager 80 to either selects or generates an applet best fitting the user, in conjunction with data provided by the access rights and profiles 85, and thus customize the user interface. Several applets may be prepared in advance, and one selected for each user, or the user interface manager may generate an applet by considering the user rights and preferences, and combine code pieces from the applet library 90 to create the access management applet specific to each user.
The IPG 20 has corresponding logic to the access management applet 305. The logic allows for establishing a secured access link, i.e. transparent communications between the user computer U1 and the target resource 30 and 40 behind the IPG 20. At least part of the secured access link is performed utilizing a protocol such as a handshake protocol, or preferably an encrypted connection, between the requester (in this case U1) and the networked resource. Most preferably the secured access link utilizes secured socket for communication between the requester and the IPG. The IPG logic may be downloaded as executable code 301 at any desired time, such as at the first login attempt, after login is established, or during a user session as needed. The logic (and the applet) may also be downloaded in parts, as required, or even updated responsive to actions taken by the user. Alternatively the IPG may have the logic or a part thereof already installed therein, and is driven by data received from the Access Controller 50. The combination of IPG logic and applets provide a number of services, as desired and/or dictated by the applet controller.
Perhaps the most desirable of the services is the provision of a secure link. If encryption is desired, it may also be established utilizing the encryption manager 70. Certificate server 60 in the Access Controller 50 may be further utilized to provide software certificates for access to one or more organization or application. The preferred embodiment calls for the establishment of a VPN (Virtual Private Network) after the user is authenticated 330, and prior to downloading the access management applet 305 to the user computer. The certificate manager 60 provides the required encryption certificate.
The interaction between the IPG 20 and the access management applet 305 sets rules of engagement that define access rights, preferences, and the like. Thus by way of the example shown in
In the most preferred embodiment, every button on the access management screen causes another ‘mini applet’ to be launched, so the access management applet acts like a portal. The mini applet process all access parameters as needed, such as encryption, login, auditing, and the like, required during a communication session to the specific resource, thus presenting the user with a tailored user interface for the requested task or resource. Mini applets may be downloaded as a part of the access management applet download, or they may be downloaded dynamically according to need.
The creation of a tunnel as described above allows utilizing the combination of the access management applet 305 in conjunction with IPG logic 301 offers a plurality of services in a controlled and secured environment. Practically all rules of engagement between the user computer U1 and the destination resource which may be any resource on the Intranet 30 such as servers 40, printers, and the like, are controlled by the applet/IPG interaction. As the tunnel is controlled by the applet, the applet practically controls what the user may or may not do. The corresponding logic 301 on the IPG 20 will serve as an agent directing the traffic to its destination, while handling all security issues, provide certificate or other security to prevent an abuse, such as by switching applets, and the like.
Optionally, the applet communicates with the audit logic 65 in the Access Controller 50 utilizing internet access link 25. Audit logic 65 is thus able to provide complete tracking of the action, taken by the user as relating to the target resource. The exchange of information between the applet and the Access Controller is preferably done using a secured link. The audit logic may keep track in a database of any attempted access and if such attempt was successful or not, and of any changes made, as customary in computer system audits. The skilled in the art will recognize that equivalent operation may be provided by having the IPG send information to the audit logic 65. Therefore the invention, and the claimed features, further extends to this equivalent feature of having audit information provided by the applet, the IPG, or a combination thereof. Thus, when the audit option is used, the preferred embodiment further reduces the risk of log tampering because the audit facility is established outside the organization.
Additional benefit which may be provided by the access logic is the ability to provide authentication and access control to a plurality of organizations. By way of non-limiting example the applet may include buttons allowing the user access to other organizations 420, or to resources that are limited by the users' role in the organization 410. When the user attempts to establish communication with a second organization Org2, the access management applet 305 sends a request to the access logic 50 to access the second organization. After verifying that the user has access rights to the second organization, the certificate manager 60 generates a certificate and sends a portion of it to the user computer U1. Using this certificate, the user attempts to connect to specific port on the IPG 21 of the second organization ORG2. The second IPG communicate the access request to the Access Controller 50, and the Access Controller provides the second IPG 21 with a complementary portion of the certificate, and thus authentication has been established. The Access Controller may also create a second version of the access management applet that will fit the user access rights in the second organization. Such applet may replace the applet already on the user computer, and provide access management for the first and second organization, or may be downloaded and operated as a separate applet. However, preferably each ‘mini applet’ is a separate thread, i.e. an instance of the access management applet 305. Thus each ‘mini applet’ or thread may have its own set of rules such as its own tunnel, with associated encryption protocol, target resource, response set, and the like. If the ‘mini applets’ or threads are used, in a system where auditing is implemented, the preferred embodiment will have each of the threads establishing an individual tunnel, with independent encryption. The IPG will report the creation of each tunnel, and the tearing down of such tunnel, and thus allow auditing of parameters like time parameters to audit logion/logout times, and time spent accessing a resource. In certain cases, the portal actions and links has a corresponding applet at the target resource, to provide more specific response for an application or an activity.
While access to a single organization may be terminated by the IPG of that site, maintaining access to a plurality of organization is best accomplished by a tunnel manager module 75 in the Access Controller 50. When a tunnel is established with an IPG, or when a tunnel is closed, the respective IPG registers the tunnel creation or closure with the tunnel manager 75. The tunnel manager maintains a count of open tunnels for the user. When all tunnels are closed, the certificate is revoked and the user will have to be authenticated again when s/he attempts to access the resources again. Timeout protection schemes are well known in the art and may be managed by each individual IPG, or by the Access Controller, resetting the timeout every time the user access one of the controlled resources. The preferred embodiment calls also for a timeout scheme whereby if the user does not perform any communication activity for a certain amount of time, the session is considered inactive, and terminates.
In order to facilitate understanding of the preferred embodiment of the invention, a detailed, but non limiting example of a sequence of operations and events associated with a user session is provided. The reader is referred to
The operation begins when the user, utilizing a common HTTP and Java enabled browser, requests an SSL connection 605 to the IPG separating the desired resource from the internet. The IPG 20 passes the request to the Access Controller 50 via SSL 610. Access Controller 50 utilizes the requested URL, and returns an authentication applet 615 in the form of a web page to the IPG, which forwards it via SSL to the user computer U1 as indicated by the arrow. The user performs a login utilizing the web page 620. The login attempt may comprise a simple login/password pair, multiple authentication schemes, biometric data, and the like. The request is communicated to the Access Logic via the IPG. The Access Controller 50 authenticates the user, and utilizes the user profile and access rights repository 85 to associate the user with a profile. Using the profile, the Access Controller either selects an applet from the applet library 90, or more preferably selects certain code routines from the applet library, and generates 625 the access management applet. The certificate server 60 generates a software certificate for secure communications. According to the user access rights, the access controller further generates certain rules for the IPG. The rules for the IPG direct the IPG how to respond to specific requests. Thus for example a rule may dictate that a request for a specific port/IP address will be transferred to a specific resource coupled to the Intranet 30, encryption rules for communicating to the user computer according to each port, and the like.
The certificate and the access management applet, as well as the rules are delivered to the IPG 20. The IPG then transfers the access management applet and a portion of the certificate to the user computer, and the applet and the IPG create the required number of tunnels as known. Optionally the IPG may log the user into one or more resources.
The user then is free to use the resources provided by the access control management, such as querying the client database, modifying certain portions of the database, and enter new orders. The client and/or order information are displayed in the client/order details area 430. By way of example, other functions like the secure e-mail 450 are also handled by the access management applet. The applet may also provide unsecured links such as the link to company news 460. A plurality of service requests may occur and the process is repeated as many times as needed, in which the operations contained within the box marked “User Operations” are repeated as required. If the user elects to terminate the session 670 a message to that effect is sent to the IPG. The IPG 20 receives the messages, closes the tunnels and performs other tasks associated with session termination, and notifies the Access Controller, which indicates that the user is not logged on any longer, revokes the certificate 680 and the communication session ends.
The user may wish to access a resource requiring additional authentication. Such resource may comprise a part of the current organization, for example accessing the company personnel database, or the resource may belong to a second organization, such as accessing a client secure web site, and the like. A simplified process is described in
The Access Controller 50 also transmits a confirmation 755 to the user computer U1. This transmission may occur by any convenient means such as directly over the internet (preferably via secure link), via ORG1 IPG 20, or via the newly established connection of IPG 21. Optionally a new or updated applet is also selected or generated 760 and sent to the user computer U1. The user computer establishes communication 765 with IPG 21 in a similar manner described for IPG 20 and therefore to the resources of ORG2 connected to intranet 31.
If such a transparent login procedures between different organizations is established, it is desirable to know when all sessions have been terminated. It is therefore desirable to log each and every case of establishment of communications. Thus after establishments of communications 770 like tunnels and the like, IPG 21 reports 775 the establishment of a communication session to Access Controller 50, which utilizes this information to track open session using tunnel manager module 75. When the last open session to any organization is closed, the tunnel manager revokes all pending certificates, and the user will need to login again for the next session. The tunnel manager may further assist in preventing undesirable timeout, whereby if a session is active to one resource in one organization, time dependent resources in other organizations periodically receive minimum null activity to maintain the tunnel open.
The skilled in the art will recognize that additional functions may be implemented. Thus, by way of example, the certificate server may be used to generate certificates for encryption of each specific service, the audit logic may log unsuccessful login attempts, and other common uses of the system components.
It will be appreciated that the invention is not limited to what has been described hereinabove merely by way of example. While there have been described what are at present considered to be the preferred embodiments of this invention, it will be obvious to those skilled in the art that various other embodiments, changes, and modifications may be made therein without departing from the spirit or scope of this invention and that it is, therefore, aimed to cover all such changes and modifications as fall within the true spirit and scope of the invention, for which letters patent is applied.
