Methods and systems for intelligently controlling access to computing resources

Abstract

Methods and systems are provided for fine tuning access control by remote, endpoint systems to host systems. Multiple conditions/states of one or both of the endpoint and host systems are monitored, collected and fed to an analysis engine. Using one or more of many different flexible, adaptable models and algorithms, an analysis engine analyzes the status of the conditions and makes decisions in accordance with pre-established policies and rules regarding the security of the endpoint and host system. Based upon the conditions, the policies, and the analytical results, actions are initiated regarding security and access matters. In one described embodiment of the invention, the monitored conditions include software vulnerabilities.

Description

BRIEF DESCRIPTION OF THE DRAWING FIGURES

These and other objects, features and advantages of the present invention will become apparent from a consideration of the following Detailed Description Of The Invention in conjunction with the drawing Figures, in which:

FIG. 1 is a block diagram showing features of a security compliance system in accordance with one embodiment of the present invention;

FIG. 2 is a flow chart showing a process for managing security compliance in accordance with an embodiment of the invention;

FIG. 3, is a functional block diagram showing the interaction of agents, managers, monitors and compliance engine in a security compliance system;

FIG. 4 is a flow chart showing the flow of information between agents, managers, monitors, and the policy management system;

FIG. 5 is a block diagram showing an alternate embodiment of the invention wherein various components of the policy management system are incorporated with in the other computing systems;

FIG. 6 is a flow chart showing a process for integrating known security risks into a compliance system; and

FIG. 7 is a flow chart showing the operation of the analysis engine to analyze agent data and develop a compliance policy.

Claims

1. A method operable on a computer for controlling the access of an endpoint computing system to a resource accessible by a host computing system, comprising: identifying within at least one of the endpoint and host computing systems a plurality of conditions, each condition having a state;establishing a policy based upon the state of each of the plurality of conditions for access to the resource by the endpoint computing system, the policy including at least one rule and an analysis method for determining compliance with the rule;collecting the state of each of the plurality of conditions;processing the state of each of the plurality of conditions using the analysis method;determining, based on the processing, the compliance of the conditions with the rule; andcontrolling, based on the determining, the access of the endpoint computing system to the resource.

2. The method of claim 1 wherein at least one state is a non-quantitative value.

3. The method of claim 2 and further including the step of, prior to the processing, converting the non-quantitative value to a quantitative value.

4. The method of claim 3 wherein the analysis method is a quantitative analysis method.

5. The method of claim 1 wherein at least one state is a quantitative value and at least one state is a non-quantitative value and wherein the analysis method includes the combination of a quantitative analysis method and a non-quantitative analysis method.

6. The method of claim 1 wherein the step of collecting includes using a software agent.

7. The method of claim 6 wherein the step of collecting further includes using at least one manager to aggregate the states collected by a plurality of software agents.

8. The method of claim 6 wherein the step of controlling includes transmitting to the software agent an instruction to take an action.

9. The method of claim 1 wherein the step of controlling includes permitting one or more system events in progress, detected from a state of a condition, to continue uninterrupted.

10. The method of claim 1 wherein the steps of identifying, establishing, collecting, processing, determining, and controlling are performed on one or more of the group comprising the host computing system, the endpoint computing system and a policy management system connected to at least one of the host computing system and the end point computing system.

11. The method of claim 1 wherein at least one state is a quantitative value and the analysis method is a quantitative analysis method.

12. The method of claim 1 wherein the endpoint system is selected from the group comprising a user of the host system and an endpoint system separate from the host system.

13. The method of claim 1 wherein the resource is selected from the group comprising a resource in the host computing system and a resource separate from and accessible through the host computing system.

14. A system for controlling the access of an endpoint computing system to a resource accessible by a host computing system, comprising: a processor;a memory connected to the processor storing instructions to control the operation of the processor to perform the steps ofidentifying within at least one of the endpoint and host computing systems a plurality of conditions, each condition having a state;establishing a policy based upon the state of each of the plurality of conditions for access to the resource by the endpoint computing system, the policy including at least one rule and an analysis method for determining compliance with the rule;collecting the state of each of the plurality of conditions;processing the state of each of the plurality of conditions using the analysis method;determining, based on the processing, the compliance of the conditions with the rule; andcontrolling, based on the determining, the access of the endpoint computing system to the resource.

15. A method for generating signals to control the access of an endpoint computing system to a resource in a host computing system, comprising: collecting a state for each of a plurality of conditions in at least one of the endpoint computing system and the host computing system;identifying a policy for determining access of the endpoint computing system to the resource, the policy including at least one rule and an analysis method for determining compliance with the rule;processing, using the analysis method, the state of each of the plurality of conditions;determining, based upon the processing, if the plurality of conditions are in compliance with the rule; andgenerating, based upon the determining, a signal usable to control the access of the endpoint computing system to the resource.

16. The method of claim 15 wherein the endpoint computing system is selected from the group including a user of the host system and an endpoint computing system separate from the host system.

17. The method of claim 15 wherein each of the states is selected from the group comprising a quantitative value and a non-quantitative value.

18. The method of claim 17 further including the step of converting a non-quantitative value to a quantitative value; and wherein the analysis method is a quantitative analysis method.

19. The method of claim 17 wherein the analysis method includes both a quantitative method for analyzing quantitative values and a non-quantitative method for analyzing non-quantitative values.

20. The method of claim 15 wherein: the step of collecting is performed by receiving state data from an aggregator; andthe step of generating a signal further includes outputting the signal to an aggregator.

22. A system for generating signals to control the access of an endpoint computing system to a resource in a host computing system, comprising: means for collecting a state for each of a plurality of conditions in at least one of the endpoint computing system and the host computing system;means for identifying a policy for determining access of the endpoint computing system to the resource, the policy including at least one rule and an analysis method for determining compliance with the rule;means for processing, using the analysis method, the state of each of the plurality of conditions;means for determining, based upon the processing, if the plurality of conditions are in compliance with the rule; andmeans for generating, based upon the determining, a signal usable to control the access of the endpoint computing system to the resource.

23. A program product storing instructions operable on computer to control the computer to generate signals to control the access of an endpoint computing system to a resource in a host computing system, the instructions stored on the program product operable to control the computer to perform the steps of:collecting a state for each of a plurality of conditions in at least one of the endpoint computing system and the host computing system;identifying a policy for determining access of the endpoint computing system to the resource, the policy including at least one rule and an analysis method for determining compliance with the rule;processing, using the analysis method, the state of each of the plurality of conditions;determining, based upon the processing, if the plurality of conditions are in compliance with the rule; andgenerating, based upon the determining, a signal usable to control the access of the endpoint computing system to the resource.

24. A method for developing a compliance policy to control the access of an endpoint computing system to a resource in a host computing system, comprising: identifying a plurality of conditions in at least one of the endpoint computing system and the host computing system, each of the plurality of conditions including an associated state;developing at least one rule;developing a policy for determining the compliance of each of the plurality of conditions with the at least one rule, the policy including at least one analysis method for processing each of the condition states to determine if the plurality of conditions are in compliance with the at least one rule.

25. The method of claim 24 wherein each of the states is selected from the group comprising a quantitative value and a non-quantitative value.

26. The method of claim 25 further including the step of converting a non-quantitative value to a quantitative value; and wherein the analysis method is a quantitative analysis method.

27. The method of claim 24 wherein the analysis method includes both a quantitative method for analyzing quantitative values and a non-quantitative method for analyzing non-quantitative values.

28. A system for developing a compliance policy to control the access of an endpoint computing system to a resource in a host computing system, comprising: means for identifying a plurality of conditions in at least one of the endpoint computing system and the host computing system, each of the plurality of conditions including an associated state;means for developing at least one rule;means for developing a policy for determining the compliance of each of the plurality of conditions with the at least one rule, the policy including at least one analysis method for processing each of the condition states to determine if the plurality of conditions are in compliance with the at least one rule.