Embodiments relate to the technical field of data processing, in particular to methods and apparatuses associated with compliance assessment, including remediation workflow.
Compliance with industry standards and/or internal company standards generally requires monitoring of rules, settings, and/or configuration parameters of computing resources. For example, one standard might mandate a minimum password length, and registry settings of a computing device may be monitored to determine whether minimum password lengths used by the computing device meet or exceed the standard. This monitoring is often initiated by a server that requests a number of client settings from a monitored computing device. Upon receiving the settings, the server may then analyze, classify, and/or store them, and issue a compliance report. Based upon the compliance report, remediation may be required at the computing device in order to bring the computing device into compliance.
Embodiments of the disclosure will be described by way of exemplary embodiments, but not limitations, illustrated in the accompanying drawings in which like references denote similar elements, and in which:
Illustrative embodiments include, but are not limited to, methods, systems, and articles for remediation workflow. A method may include determining one or more test failures related to a policy test within a computer network. The method may further include reviewing the one or more test failures and, based upon a result of the reviewing, creating a remediation work order that includes at least one of the one or more test failures. Each test failure within the remediation work order may be approved or denied. For each test failure that is approved for remediation, a remediation process may be performed.
Various aspects of the illustrative embodiments will be described using terms commonly employed by those skilled in the art to convey the substance of their work to others skilled in the art. However, it will be apparent to those skilled in the art that alternate embodiments may be practiced with only some of the described aspects. For purposes of explanation, specific numbers, materials, and configurations are set forth in order to provide a thorough understanding of the illustrative embodiments. However, it will be apparent to one skilled in the art that alternate embodiments may be practiced without the specific details. In other instances, well-known features are omitted or simplified in order not to obscure the illustrative embodiments.
Further, various operations will be described as multiple discrete operations, in turn, in a manner that is most helpful in understanding the illustrative embodiments; however, the order of description should not be construed as to imply that these operations are necessarily order dependent. In particular, these operations need not be performed in the order of presentation.
The phrase “in one embodiment” is used repeatedly. The phrase generally does not refer to the same embodiment; however, it may. The terms “comprising,” “having,” and “including” are synonymous, unless the context dictates otherwise. The phrase “A/B” means “A or B”. The phrase “A and/or B” means “(A), (B), or (A and B)”. The phrase “at least one of A, B and C” means “(A), (B), (C), (A and B), (A and C), (B and C) or (A, B and C)”. The phrase “(A) B” means “(B) or (A B)”, that is, A is optional.
In various embodiments, target host 102 may be configured to include collection logic and one or more collection policies or rules 104 for use in capturing changes to data of the target host 102, such as changes to rules, settings, and/or configuration parameters. The target host 102 may be configured to provide, upon detecting/capturing a change, data associated with the change to the compliance server 106. Compliance server 106 may be configured to store in a change database 108. Compliance logic 110 may be configured to generate an event notification to notify one or more event listeners of the compliance server 106 that data associated with a newly detected change has been stored in the change database 108. Compliance logic 110 may be further configured to look up all compliance policies that are associated with collection policies or rules 104 that caused the collection of the received change data. The associated collection policies or rules 104 may be specified in the received change data. In some embodiments, compliance logic 110 may be further configured to filter the change data, and to determine whether one or more rules, settings, and/or parameters of the change data are associated with one or more compliance policies or rules 110. The determining may include evaluating an expression of at least one of the compliance policies or rules 110 against element data in the change data. In various embodiments, compliance logic 110 may be further configured to generate test results based on whether associated compliance policies or rules 110 were determined. In one embodiment, compliance logic 110 may be further configured to generate a report of the determined association. The compliance logic 110 may be further configured to provide the report may to target host 102, a compliance entity, as will be described more fully herein, and/or an administrative user of compliance server 106, or to some other system.
In various embodiments, target host 102 and compliance server 106 may be any sort of computing devices known in the art, except for collection logic and policies/rules 104, change database 108, and compliance logic and policies/rules 110. In various embodiments, target host 102 may be a node of a computer network made up of a plurality of nodes, wherein each node may be a computing system or device, a peripheral device, or a function/resource of a computer system/device. The computing systems/devices may be, for example, personal computers (PC), workstations, servers, routers, mainframes, modular computers within blade servers or high-density servers, personal digital assistants (PDA), entertainment centers, set-top boxes, or mobile devices. The peripheral devices may be, for example, printers, fax machines, multi-function printers, copying machines, etc. An exemplary computing device is illustrated by
In some embodiments, compliance server 106 and target host 102 may be deployed in a computing network of the same organization. In other embodiments, compliance server 106 may belong to a separate organization, such as a compliance monitoring organization whose purpose is to monitor and ensure industry standards. Also, in one embodiment, target host 102 and compliance server 106 may be separate logical components or virtual machines of the same or different computing device.
In various embodiments, as mentioned above, target host 102 may have one or more collection policies or rules 104, and compliance server 106 may have a change database 108 and one or more compliance policies or rules 110. These components and associated data and logic are also illustrated in
In various embodiments, where target host 102 and compliance server 106 are remotely disposed from each other, they may be communicatively coupled to each other. In some embodiments, the target host 102 and compliance server 106 may be coupled by a networking fabric (not illustrated). Such a networking fabric may include one or more of a local area network (LAN), a wide area network (WAN), and the Internet, as is known in the art. In one embodiment, the networking fabric may comprise a private network or a virtual private network (VPN) that may utilize tunneling. In some embodiments, where target host 102 and compliance server 106 belong to the same organization, they may be coupled by one or more private LANs or WANs of the organization.
In various embodiments, the captured/detected change may be associated with other descriptive data to form change data 202. For example, the change data 202 for a given change may include an identification of the target host 102 on which the change was captured, the rule or collection policy/rule 104 responsible for the capturing of the change, a name of the data element (such as a rule, setting, or configuration parameter) for which the change was detected, and the element data of the element for which the change was detected. In one embodiment, if the change was detected for a password having a minimum password length requirement, the change data 202 may include the name of the setting (e.g., “minPwdLength”) and the requirement, i.e. minimum password length (e.g., 10 characters).
In some embodiments, the collection policies/rules 104 and the logic 104 for applying them may be used to monitor a remote host. In such embodiments, the collection policies/rules 104 and logic 104 may be located on e.g., compliance server 106, or another device, and may be used to remotely detect changes on a target host 102.
In various embodiments, upon being generated, change data 202 may be sent to compliance server 106, and stored in change database 108. In other embodiments, change database 108 may reside on a different computing device then compliance server 106. For example, change database 108 may reside on a database server device that is communicatively coupled to compliance server 106. Further, in various embodiments, change database 108 may be any sort of database known in the art, such as a relational database, a normalized or de-normalized database, a data structure, or an unformatted file. In some embodiments, change database 108 may store all change data 202 received from target hosts 102. In other embodiments, change database 108 may have a data retention policy and may discard change data 202 after a specified/pre-determined duration of time.
As mentioned previously, in various embodiments, upon having new change data 202 stored in change database 108, an event notification may be generated to notify compliance logic 110 of compliance server 106 of the arrival of the change data 202. Such compliance logic 110 may include one or more event listeners configured to detect events as they are generated. Upon detecting an event, the compliance logic 110 of compliance server 106 may look up compliance policies/rules 110 associated with the received change data 202. In various embodiments, the associated compliance/policies/rules 110 may be specified in the change data 202 by collection logic 104. For example, if a collection logic 104 specified monitoring of a minimum password length, a compliance policy 110 specifying a minimum password length standard may be determined to be associated. Also, in some embodiments, compliance policies 110 may include elements specifying collection policies 104 to which they may apply. In such embodiments, determining matches may simply comprise comparing compliance policies 110 to collection policies 104 of change data 202 to determine if the compliance policies 110 specify the collection policies 104.
In various embodiments, compliance policies 110 may each comprise a number of policy elements. For example, a compliance policy 110 may specify a rule or collection policy 104, a change name (such as a name of the target host 102 data element for which a change was detected), one or more waivers from the compliance policy 110, and/or an expression for evaluating the change data 202. In some embodiments, the collection policy 104 may correspond to a collection policy 104 specified in change data 202 and the change name may correspond to an element name specified in change data 202. Also, the waivers may specify whether a target host 102 identified by change data 202 is exempted from the compliance policy 110. In some embodiments, the expression may include one or more conditions that are to be applied to data elements of change data 202 to determine whether the data elements are in compliance with the policy 110. In various embodiments, compliance policies 110 may be specified in any manner, such as, for example, tables, collections of tables, lists, or other data structures. Further, compliance policies 110 may be stored in any sort of file, database, or structure of compliance server 106. In one embodiment, compliance policies 110 may be stored remotely and fetched by compliance server 106.
In some embodiments, compliance server 106 may receive or retrieve new or updated compliance policies 110, periodically or as they become available. In one embodiment, such new or updated policies may be retrieved or received from a service or a compliance standards organization that defines industry standards.
In various embodiments, logic of compliance server 106 may filter 204 change data 202 after looking up associated compliance policies 106. As illustrated in
In some embodiments, the compliance server 106 may apply a compliance policy 110 to change data 202 to determine whether the one or more rules, settings, and/or configuration parameters specified in the change data meet one or more compliance policies 110. As previously mentioned, the rules, settings, and/or configuration parameters may be specified by the element name and element data of change data 202. And as illustrated, that determining may comprise evaluating 206 an expression specified in a compliance policy 110 against element data specified in the change data 202. For example, the expression of the compliance policy may specify that all passwords must be at least 10 characters long, and the element data of change data 202 may specify that a recently changed password length setting requires passwords to be only at least 9 characters long. Such an evaluation may then indicate that the password length setting of the target host 102 is not in compliance with compliance policy 110.
In various embodiments, the compliance server 106 may then generate 208 a test result based on the determining/evaluating 206. The test result may indicate either that the rule, setting, or configuration parameter specified in change data 202 is in compliance or not in compliance with compliance policy 110. In various embodiments, the test results may then be stored in a test results database (not illustrated). In one embodiment, the test results database may be identical to the change database. In some embodiments, the compliance server 106 may then generate a report based on the test result and may store the report or provide it to the target host 102, an administrative user through a user interface of compliance server 106, and/or some other system. The report may include an indication of whether or not a given rule, setting, or parameter is in compliance and, if not in compliance, an indication of what an appropriate value or values for a compliant rule, setting, or parameter would be. In one embodiment, the compliance server 106 may provide the report to an industry standards/compliance monitoring organization.
In some embodiments, upon receiving a report indicating that a rule, setting, or parameter is not in compliance, target host 102 may need a remedial measure to place the rule, setting, parameter or change in compliance.
Thus, in accordance with various embodiments, policy tests may be executed in order to insure that target host 102 is in compliance with various policies, rules and configuration parameters. Test results that are test failures at various target hosts 102 may be compiled into a report by either compliance server 106 or target hosts 102. A test failure indicates that a compliance policies 110 target host 102 (or more specifically, an element within a target host 102) is not in compliance with at least one policy, rule and/or configuration parameter.
Once the compliance entity has completed the remediation work order, the remediation work order may be placed, at 308, in a “Created” state. The compliance entity may assign, at 310, the remediation work order to a change approval entity. The change approval entity may then review, at 312, the remediation work order for approval purposes.
The change approval entity may examine each test failure in the remediation work order and may approve or deny remediation for each of the test failures listed within the remediation work order. The change approval entity may comment and/or provide information as to why a particular test failure was approved for remediation or was denied for remediation.
In accordance with various embodiments, the change approval entity may assign, at 314, a “approval identification (ID)” for the remediation work order. The remediation approval ID may correlate to or serve as a tracking ID in a ticketing system for remediation work orders.
Upon completion of the review by the change approval entity, the remediation work order may transition, at 316, to a “Reviewed” state. In accordance with various embodiments, the remediation work order may automatically transitions to the Reviewed state once one of the test failures within the remediation work order has been approved or denied.
Once the change approval entity has completed its review of the remediation work order, the change approval entity may provide, at 318, the work order to a remediation entity. The remediation entity may perform, at 320, various remediation processes in order to remediate test failures that have been approved for remediation. In accordance with the various embodiments, the remediation processes may include execution of remediation scripts.
In accordance with the various embodiments, the remediation entity may choose, at 322, to defer remediation of a test failure until a later point in time. Examples of reasons why one or more test failures may not be remediated include that a particular application at a target host 102 may be being upgraded or be subject to a change order. Additionally, remediation may disable the target host 102 thereby disabling one or more needed applications that may relate to security and/or business concerns. Also, during maintenance of the target host 102, it may be desirable to accrue changes during a change window and perform multiple remediations together. It may also be desirable to have further consideration before performing one or more remediations. Once all test failures outlined in the remediation work order have either been denied for remediation, approved for remediation but deferred, or approved for remediation and the remediation process has been completed, the remediation work order may transition, at 324, to a “Complete” state.
In accordance with various embodiments, the compliance entity periodically may review and monitor the status of remediation work orders. Once a remediation work order is in the Complete state, the compliance entity may transition, at 326, the remediation work order to a “Closed” state. In accordance with various embodiments, the remediation entity may inform the compliance entity that a particular remediation work order has transitioned to the Complete state. Once a remediation work order has transitioned to the Closed state, it may generally be stored, at 328, for historical purposes such that it may be available for review at future points in time if desired.
In accordance with various embodiments, the compliance entity may be a single individual, but may consist of more than one individual if desired. The compliance entity may also be a computing device, such as, for example, compliance server 106. The compliance logic 110 may generate work orders based upon policy test failures and may provide remediation measures. The change approval entity may generally consist of more than one individual, but may consist of only a single individual if desired. Likewise, the remediation entity may generally consist of two or more individuals, but may consist of only a single individual if desired. In accordance with various embodiments, a single individual may serve as one or more of the compliance entity, the change approval entity, and the remediation entity.
For ease of understanding, the described embodiments include a compliance entity, a change approval entity, and a remediation entity, which may be one or more individuals. All or part of the operations performed by the various entities may be facilitated by a computing device, such as compliance server 106. In various embodiments, all or part of the remediation workflow may be automated, with the operations performed by compliance server 106, and/or other computing systems.
Each of these elements performs its conventional functions known in the art. In particular, system memory 504 and mass storage 506 may be employed to store a working copy and a permanent copy of the programming instructions implementing one or more aspects of the above described teachings to practice the various embodiments, herein collectively denoted as computational logic 514. The various components may be implemented by assembler instructions supported by processor(s) 502 or high-level languages, such as, for example, C, that may be compiled into such instructions.
The permanent copy of the programming instructions may be placed into permanent storage 506 in the factory, or in the field, through, for example, a distribution medium (not illustrated), such as a compact disc (CD), or through communication interface 510 (from a distribution server (not illustrated)). That is, one or more distribution media having an implementation of the agent program may be employed to distribute the agent and program various computing devices.
The constitution of these elements 502-512 are generally known to one skilled in the art, and accordingly will not be further described.
In embodiments of the present invention, an article of manufacture (not illustrated) may be employed to implement one or more methods as disclosed herein. For example, in exemplary embodiments, an article of manufacture may comprise a non-transitory computer-readable storage medium, and a plurality of programming instructions stored on the computer-readable storage medium and configured to program one or more computing devices, in response to execution of the programming instructions, to perform operations including obtaining or facilitate obtaining one or more test failures related to one or more policy tests within a computer network, and creating or facilitate creating a remediation work order that includes at least one of the one or more test failures. The operations may further include providing the remediation work order to a change approval entity, and/or facilitating the change approval entity in (partially) approving the remediation work order. The operations may further including providing the remediation work order to a remediation entity, wherein the work order includes at least one test failure that has been approved, for remediation. The operations may further including executing or facilitating executing, for each test failure that is approved for remediation, a remediation process that corresponds to a particular test failure that is approved for remediation.
Although specific embodiments have been illustrated and described herein, it will be appreciated by those of ordinary skill in the art that a wide variety of alternate and/or equivalent implementations may be substituted for the specific embodiments illustrated and described, without departing from the scope of the embodiments. This application is intended to cover any adaptations or variations of the embodiments discussed herein. Therefore, it is manifestly intended that the embodiments be limited only by the claims and the equivalents thereof.
This application is a continuation of U.S. patent application Ser. No. 14/468,231, filed Aug. 25, 2014, which is a continuation of U.S. patent application Ser. No. 13/235,189, filed Sep. 16, 2011, now U.S. Pat. No. 8,819,491, which are hereby incorporated by reference herein in their entirety.
Number | Name | Date | Kind |
---|---|---|---|
5761502 | Jacobs | Jun 1998 | A |
6009246 | Chandra et al. | Dec 1999 | A |
6385665 | Canady et al. | May 2002 | B1 |
6564227 | Sakakibara et al. | May 2003 | B2 |
6601017 | Kennedy et al. | Jul 2003 | B1 |
6938081 | Mir | Aug 2005 | B1 |
7103874 | McCollum et al. | Sep 2006 | B2 |
7120680 | Higgins et al. | Oct 2006 | B1 |
7243348 | Good et al. | Jul 2007 | B2 |
7316016 | DiFalco | Jan 2008 | B2 |
7360099 | DiFalco et al. | Apr 2008 | B2 |
7451391 | Coleman et al. | Nov 2008 | B1 |
7496893 | Mohindra | Feb 2009 | B2 |
7587754 | DiFalco et al. | Sep 2009 | B2 |
7620715 | DiFalco et al. | Nov 2009 | B2 |
7765460 | DiFalco et al. | Jul 2010 | B2 |
7822724 | DiFalco et al. | Oct 2010 | B2 |
8065712 | Cheng et al. | Nov 2011 | B1 |
8140635 | DiFalco | Mar 2012 | B2 |
8176158 | DiFalco et al. | May 2012 | B2 |
8201257 | Andres et al. | Jun 2012 | B1 |
8301767 | Davis et al. | Oct 2012 | B1 |
8819491 | Whitlock et al. | Aug 2014 | B2 |
8862941 | Whitlock et al. | Oct 2014 | B2 |
9026646 | Whitlock et al. | May 2015 | B2 |
9088615 | Avlasov et al. | Jul 2015 | B1 |
9098333 | Obrecht et al. | Aug 2015 | B1 |
9304850 | Whitlock et al. | Apr 2016 | B1 |
20020188711 | Meyer et al. | Dec 2002 | A1 |
20030110243 | Soulhi | Jun 2003 | A1 |
20040078568 | Pham et al. | Apr 2004 | A1 |
20040153823 | Ansari | Aug 2004 | A1 |
20050008001 | Williams et al. | Jan 2005 | A1 |
20050081079 | Cheston et al. | Apr 2005 | A1 |
20050268326 | Bhargavan et al. | Dec 2005 | A1 |
20050278191 | DiFalco | Dec 2005 | A1 |
20060095552 | Dini et al. | May 2006 | A1 |
20060136570 | Pandya et al. | Jun 2006 | A1 |
20060224663 | DiFalco | Oct 2006 | A1 |
20060242277 | Torrence et al. | Oct 2006 | A1 |
20070005740 | DiFalco et al. | Jan 2007 | A1 |
20070022315 | Comegys | Jan 2007 | A1 |
20070022365 | DiFalco et al. | Jan 2007 | A1 |
20070043674 | DiFalco et al. | Feb 2007 | A1 |
20070043786 | DiFalco | Feb 2007 | A1 |
20070078701 | Bliznak | Apr 2007 | A1 |
20070101432 | Carpenter | May 2007 | A1 |
20070124255 | DiFalco et al. | May 2007 | A1 |
20070156696 | Lim | Jul 2007 | A1 |
20070266138 | Spire et al. | Nov 2007 | A1 |
20070282986 | Childress et al. | Dec 2007 | A1 |
20070299943 | Ogle et al. | Dec 2007 | A1 |
20080040191 | Chakravarty et al. | Feb 2008 | A1 |
20080040455 | MacLeod et al. | Feb 2008 | A1 |
20080046266 | Gudipalley et al. | Feb 2008 | A1 |
20080148346 | Gill et al. | Jun 2008 | A1 |
20080228908 | Link et al. | Sep 2008 | A1 |
20080271025 | Gross et al. | Oct 2008 | A1 |
20090106597 | Branca et al. | Apr 2009 | A1 |
20090216605 | Brayton | Aug 2009 | A1 |
20100005107 | DiFalco | Jan 2010 | A1 |
20100023519 | Kailash et al. | Jan 2010 | A1 |
20100024035 | Wallace | Jan 2010 | A1 |
20100050229 | Overby, Jr. | Feb 2010 | A1 |
20100063855 | Nguyen et al. | Mar 2010 | A1 |
20100198636 | Choudhary et al. | Aug 2010 | A1 |
20110126047 | Anderson et al. | May 2011 | A1 |
20110126099 | Anderson et al. | May 2011 | A1 |
20110126197 | Larsen et al. | May 2011 | A1 |
20110137905 | Good et al. | Jun 2011 | A1 |
20110138038 | Good et al. | Jun 2011 | A1 |
20110138039 | Good et al. | Jun 2011 | A1 |
20110197094 | Wagner | Aug 2011 | A1 |
20110197189 | Wagner et al. | Aug 2011 | A1 |
20110197205 | Wagner et al. | Aug 2011 | A1 |
20110202647 | Jin et al. | Aug 2011 | A1 |
20110302290 | Westerfeld et al. | Dec 2011 | A1 |
20120016802 | Zeng et al. | Jan 2012 | A1 |
20120023076 | Torrence et al. | Jan 2012 | A1 |
20120047239 | Donahue et al. | Feb 2012 | A1 |
20120102543 | Kohli et al. | Apr 2012 | A1 |
20120117610 | Pandya | May 2012 | A1 |
20120179805 | DiFalco | Jul 2012 | A1 |
20120198050 | Maki et al. | Aug 2012 | A1 |
20120216242 | Uner et al. | Aug 2012 | A1 |
20120222112 | DiFalco et al. | Aug 2012 | A1 |
20120271937 | Cotten et al. | Oct 2012 | A1 |
20130014107 | Kirchhofer | Jan 2013 | A1 |
20130133027 | Chickering et al. | May 2013 | A1 |
Number | Date | Country | |
---|---|---|---|
Parent | 14468231 | Aug 2014 | US |
Child | 15090114 | US | |
Parent | 13235189 | Sep 2011 | US |
Child | 14468231 | US |