US20220269792A1 - Implementing a multi-dimensional unified security and privacy policy with summarized access graphs - Google Patents
Implementing a multi-dimensional unified security and privacy policy with summarized access graphs Download PDFInfo
- Publication number
- US20220269792A1 US20220269792A1 US17/205,966 US202117205966A US2022269792A1 US 20220269792 A1 US20220269792 A1 US 20220269792A1 US 202117205966 A US202117205966 A US 202117205966A US 2022269792 A1 US2022269792 A1 US 2022269792A1
- Authority
- US
- United States
- Prior art keywords
- data
- discovered
- deterministic
- computerized method
- privacy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
- 238000000034 method Methods 0.000 claims abstract description 87
- 238000013507 mapping Methods 0.000 claims abstract description 3
- 238000013475 authorization Methods 0.000 claims description 3
- 238000001914 filtration Methods 0.000 claims description 2
- 230000008569 process Effects 0.000 description 43
- 238000010801 machine learning Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000035945 sensitivity Effects 0.000 description 5
- 238000011161 development Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000008520 organization Effects 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 238000013528 artificial neural network Methods 0.000 description 2
- 238000013135 deep learning Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000013497 data interchange Methods 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000001939 inductive effect Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011002 quantification Methods 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
- 238000013522 software testing Methods 0.000 description 1
- 238000012706 support-vector machine Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 230000003442 weekly effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/23—Updating
- G06F16/2379—Updates performed during online database operations; commit processing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
- G06F9/541—Interprogram communication via adapters, e.g. between incompatible applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Definitions
- This application related to cloud-platform security and more specifically to an implementing risk discovery with unified security and privacy policies with summarized access graphs.
- a computerized method for implementing risk discovery with a set of unified security and privacy policies includes the step of discovering a set of data and a set of data accesses within an enterprise computing system.
- the method includes the step of classifying the set of discovered data and the set of data accesses with an identification that shows which of the data assets are important or critical for the enterprise.
- the method includes the step of determining which of the set of discovered data and the set of data accesses have or are associated with sensitive information.
- the method includes the step of placing the set of discovered data and the set of data accesses that are associated with sensitive information into a set of discovered information about the infrastructure.
- the method includes the step of determining which of the set of discovered data and the set of data accesses are relevant in the context of a specified governmental data privacy regulation.
- the method includes the step of placing the set of discovered data and the set of data accesses that are relevant in the context of a specified governmental data privacy regulation into a set of discovered information about the infrastructure.
- the method includes the step of, with the set of discovered information about the infrastructure, mapping the set of discovered information about the infrastructure to a set of deterministic dimensions.
- FIG. 1 illustrates an example process for implementing risk discovery with unified security and privacy policies, according to some embodiments.
- FIG. 2 illustrates another process for RC graph implementation, according to some embodiments.
- FIGS. 3 and 4 illustrate example equations that can be used to implement process 200 , according to some embodiments.
- FIG. 5 illustrates an example screenshot showing an equation used to define summary attributes for each service/identity discovered in the detailed access graph, according to some embodiments.
- a summarized access graph can be generate using the equation of FIG. 6 , according to some embodiments.
- FIG. 7 illustrates an example access graph, according to some embodiments.
- FIG. 8 illustrates an example summarized access graph, according to some embodiments.
- FIG. 9 illustrates an alternative summarized access graph 900 , according to some embodiments.
- the following description is presented to enable a person of ordinary skill in the art to make and use the various embodiments. Descriptions of specific devices, techniques, and applications are provided only as examples. Various modifications to the examples described herein can be readily apparent to those of ordinary skill in the art, and the general principles defined herein may be applied to other examples and applications without departing from the spirit and scope of the various embodiments.
- the schematic flow chart diagrams included herein are generally set forth as logical flow chart diagrams. As such, the depicted order and labeled steps are indicative of one embodiment of the presented method. Other steps and methods may be conceived that are equivalent in function, logic, or effect to one or more steps, or portions thereof, of the illustrated method. Additionally, the format and symbols employed are provided to explain the logical steps of the method and are understood not to limit the scope of the method. Although various arrow types and line types may be employed in the flow chart diagrams, and they are understood not to limit the scope of the corresponding method. Indeed, some arrows or other connectors may be used to indicate only the logical flow of the method. For instance, an arrow may indicate a waiting or monitoring period of unspecified duration between enumerated steps of the depicted method. Additionally, the order in which a particular method occurs may or may not strictly adhere to the order of the corresponding steps shown.
- API Application programming interface
- An API can be a computing interface that defines interactions between multiple software intermediaries.
- An API can define the types of calls and/or requests that can be made, how to make them, the data formats that should be used, the conventions to follow, etc.
- An API can also provide extension mechanisms so that users can extend existing functionality in various ways and to varying degrees.
- API key can be a unique identifier used to authenticate a user, developer, or calling program to an API.
- An API key can be used to authenticate a service with the API rather than a human user.
- CCPA California Consumer Privacy Act
- Dark web is the World Wide Web content that exists on darknets: overlay networks that use the Internet but require specific software, configurations, or authorization to access.
- Deep learning can include various machine learning methods (see infra) based on artificial neural networks with representation learning. Deep learning can be supervised, semi-supervised or unsupervised.
- Deterministic dimensions can be a summarized grain of attributes. The deterministic nature of these dimensions are due to the fact that the cardinality of these attributes can be fixed. The intent that is expressed in a set of specified deterministic dimensions can be pre-known/pre-determined.
- Distributed version control systems can include Internet hosting for software development and version control.
- the distributed version-control system can track changes in any set of files.
- the distributed version-control system can be designed for coordinating work among programmers cooperating on source code during software development.
- GDPR General Data Protection Regulation
- JSON JavaScript Object Notation
- JSON is an open standard file format, and data interchange format, that uses human-readable text to store and transmit data objects consisting of attribute-value pairs and array data types (and/or any other serializable value).
- Machine learning can use statistical techniques to give computers the ability to learn and progressively improve performance on a specific task with data, without being explicitly programmed.
- Machine learning is a type of artificial intelligence (AI) that provides computers with the ability to learn without being explicitly programmed.
- AI artificial intelligence
- Machine learning focuses on the development of computer programs that can teach themselves to grow and change when exposed to new data.
- Example machine learning techniques that can be used herein include, inter alia: decision tree learning, association rule learning, artificial neural networks, inductive logic programming, support vector machines, clustering, Bayesian networks, reinforcement learning, representation learning, similarity, and metric learning, and/or sparse dictionary learning.
- Named-entity recognition can be a subtask of information extraction that seeks to locate and classify named entities mentioned in unstructured text into pre-defined categories.
- Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.
- Open Policy Agent can be a general-purpose policy engine with uses ranging from authorization and admission control to data filtering. OPA can provide a unified toolset and framework for policy across the cloud native stack.
- PII personal data
- PII data can be information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in a specified context.
- Risk criticality can include quantifying the possibility of a service or data being subject to an attack or being a victim of a breach.
- Criticality can be a measure of sensitivity of data, measured by buckets (e.g. high, medium, low) which can include “code”, PII, personal data, patents, etc.
- Runtime application self-protection is a security technology that uses runtime instrumentation to detect and block computer attacks by taking advantage of information from inside the running software.
- Sankey diagrams are a type of flow diagram in which the width of the arrows is proportional to the flow rate.
- Sensitive information is something that scores high in sensitivity like PII data of data subjects, code, patents, personnel information, keys, certifications etc.
- Shift-left testing can be an approach to software testing and system testing in which testing is performed earlier in the life cycle of software development.
- SaaS Software as a service
- Example methods can be used to express policy intent around risk, criticality in a multi-dimensional representation and a translation framework for the same to OPA for security policy purposes.
- example methods can enable a multi-dimensional risk-criticality (RC) representation of enterprise data assets.
- the RC Graph can be built from the scanned infrastructure.
- the RC graph can enable enterprises to represent their assets using the deterministic dimensions that the RC Graph can represent with. Additionally, examples of the dimensions that comprise this multi-dimensional representation are discussed infra.
- FIG. 1 illustrates an example process 100 for implementing risk discovery with unified security and privacy policies, according to some embodiments.
- Process 100 provides an RC graph implementation and method to determine a set of deterministic dimensions.
- step 102 process 100 discovers data and data access within an enterprise.
- step 104 process 100 classifies the discovered data to help the enterprises identify which of the data assets are important or critical for the enterprise.
- Step 104 can be used to determine which of the data assets have sensitive information.
- Step 104 can be used to determine which of the data assets and access are important in the context of regulation.
- process 100 can map the info to the deterministic dimensions. In one example, this can be a list of 32 deterministic dimensions (e.g. discussed infra).
- process 100 can let/enable the user/enterprise to express the intent and/or enterprise assets from the specified deterministic dimensions to represent a policy or intent. As noted, in some examples, this can be the thirty-two (32) dimensions discussed infra.
- process 100 can generate a unified privacy/security OPA policy.
- This policy can assist enterprises to maintain a desired posture with respect to applicable regulations.
- process 100 can enable a single policy for security and policy Privacy based policy posture for data/zero trust protection.
- Process 100 can continuously arm an enterprise with a policy that can help with maintaining a posture for a privacy regulation article (e.g. GDPR, CCPA, CIS AWS, CPRA, etc.).
- Process 100 can provide policy materialization and enforcement.
- Process 100 can generate a privacy policy (e.g. as a Rego expressed OPA policy, etc.).
- Process 100 can materialize a privacy policy so that it can be pushed to K8, Kafka, etc. as OPA policies.
- a Data Store e.g. DS1, DS2, DS3 can be an example deterministic dimension.
- An Access Frequency (e.g. minutes, hourly, daily, weekly, monthly, random (e.g. more than once but no fixed pattern), one time, etc.) can be an example deterministic dimension.
- An Electronic Identity (e.g. yes, no) (e.g. person or system) can be an example deterministic dimension.
- a Role Privileges (e.g. root, open or restrictive access (e.g. are all the permissions being used or there is over provisioning), etc.) can be an example deterministic dimension.
- a Multi Service Role (e.g. yes, no) (e.g. specific or multiple (can the role be used to access more than one service)) can be an example deterministic dimension.
- a PII-NERs (e.g. name, national id, date of birth (DoB), address, etc.) can be an example deterministic dimension.
- a sensitivity status (e.g. personal, code, patents, financial information) (e.g. PII, secrets/keys, personal data, healthcare data/medical record numbers (MRNs), intellectual property—code, patent, financial data, etc.) can be an example deterministic dimension.
- An anonymization status (e.g. not anonymized, pseudo anonymized, not applicable (example for non-personal data), etc.) can be an example deterministic dimension.
- An access status (e.g. public, enterprise, account, virtual private cloud (VPC), signed access, etc.) can be an example deterministic dimension.
- An MFA status (e.g. yes, no, not applicable) can be an example deterministic dimension.
- a SaaS status (e.g. Github, Gitlab, SN, SFDC) can be an example deterministic dimension.
- An API access status (e.g. Yes, No) can be an example deterministic dimension.
- a Keys Managed by a key management service (KMS) status (e.g. Amazon Web Services (AWS), HashiCorp-Vault, Azure, GCP, Other) can be an example deterministic dimension.
- KMS key management service
- a Role status (e.g. Access Identity's Role) (e.g. HR, Payroll, Engineering Mgr, Core Banking (Electronic Identity) Role, etc.) can be an example deterministic dimension.
- An API Path (e.g. /employee/add, /employee/list, /vendors/list/, /reports/list, etc.) can be an example deterministic dimension.
- a Service status (e.g. API Gateway—AG01, S3-S01) can be an example deterministic dimension.
- An Access Identity (e.g. Supreeth, Aria, Ravi, Core Banking) can be an example deterministic dimension.
- a Service status (e.g. API Gateway—AG01, S3-501) can be an example deterministic dimension.
- An Encrypted status (e.g. Yes, No) can be an example deterministic dimension.
- An Access status (e.g. Public, Enterprise, Account, VPC) can be an example deterministic dimension.
- An Access Logging Level (e.g. Info logging enabled, Secrets/PH leaking in logs, etc.) can be an example deterministic dimension.
- a Storage Delete Protection status can be an example deterministic dimension.
- a Last Access Time (e.g. Data Minimization) (e.g. 30 days, Last Qtr, Last six months, Year, 5 years, etc.) can be an example deterministic dimension.
- a Dark Web status (e.g. Data Seen On Darkweb (Pastebin, etc.), Interest Noted On Dark Web, etc.) can be an example deterministic dimension.
- An Access Location (e.g. USA, Germany, India) can be an example deterministic dimension.
- a Subject Residency (e.g. Germany, India, USA, UK) can be an example deterministic dimension.
- a Service Location status (e.g. Primary Location (US-east-1a, US-east, US-east-2a), Backup Location (US-west-1a, US-west, US-west-2a), etc.) can be an example deterministic dimension.
- a Vendor/Vendor Location (e.g. US-east-1a, US-east, US-east-2a) can be an example deterministic dimension.
- a Data Location (e.g. Primary Location (US-east-1a, US-east, US-east-2a); Backup Location (US-west-1a, US-west, US-west-2a); etc.) can be an example deterministic dimension.
- a Service Image Posture (e.g. How: AMI/Container Image Registry Scan) can be an example deterministic dimension. This can include any Vulnerabilities Levels Present (e.g. Critical [9, 10], High [7, 9), Medium [4, 7), Low [0.1, 4), etc.). This can include Cipher Suites (e.g. Scanner Integration—Qualys/Nessus/AWS Inspector/ . . . ). This can include vulnerabilities exploited (e.g. RASP integration).
- a File Malware Scan (e.g. of S3, Box, etc.) can be an example deterministic dimension.
- a Risk level (e.g. High Medium Low) (e.g. driven by a known template, like PII data, or exposed to the internet or likes, which customers can customize if need be) can be an example deterministic dimension.
- FIG. 2 illustrates another process 200 for RC graph implementation, according to some embodiments. It is noted that process 200 can be utilized by process 100 and/or vice versa in various embodiments.
- process 200 can define data assets.
- Process 200 can define summary attributes for each data asset.
- process 200 can use the following categories for summarization. This can include a criticality value.
- the criticality value can determine how critical is a data asset to the organization. There can be three levels of criticality: high, medium, low.
- Process 200 can use a region value (e.g. determine where the data asset is located; etc.).
- Process 200 can use a protection status value (e.g. determine the data asset protected using encryption; determine if it kept in clear-text; etc.).
- Process 200 can use a privacy value (e.g. Does the data asset anonymize PII data; etc.).
- Process 200 can examine PII entities, categories, etc.
- Process 200 can use an access value (e.g. Does the data asset contain personal information; Does it contain confidential information; etc.).
- process 200 can determine if the organization associates a tag, such as a scope or a namespace, for the data asset. For example, process 200 can determine if the asset used in production, stage, and/or development deployments. This namespace attribute can be defined by the customer. Also, this could be inferred from an existing tag in the data asset metadata.
- FIGS. 3 and 4 illustrate example screen shots of equations 300 and 400 that can be used to implement process 200 (e.g. step 202 ), according to some embodiments. Equation 300 can provide an access graph. Equation 400 can be used to generate the access graph, and can be defined as: d 1 ,T(d 1 ).
- process 200 can define summary attributes for each service/identity discovered in the detailed access graph.
- Process 200 can define summary attributes for each service/identity discovered in the detailed access graph. These attributes can be specific to each data asset that the service/identity is accessing. The following categories can be used for summarization.
- Process 200 can use a risk value (e.g. determine if there a risk associated with the service/identity.
- Process 200 can use three levels of risk quantification: high, medium, low.
- Process 200 can use a region value (e.g. determine a region where the service is located).
- Process 200 can assume role constraints (e.g. determine a type of identity that is used to access the data asset; determine if there is a person identity or a system; etc.).
- Process 200 can use an API/key based identity. For example, the following can be a list of summarized values for this attribute: person or system open or restrictive access specific or multiple (not instances of the same service).
- Process 200 can use a frequency value (e.g. determine the frequency of access; determine if an event occurs periodically (e.g. scheduled) or randomly (e.g. from an API call)).
- a frequency value e.g. determine the frequency of access; determine if an event occurs periodically (e.g. scheduled) or randomly (e.g. from an API call)).
- Process 200 can use a namespace value. For example process 200 can determine if the organization associates a tag, such as a scope or a namespace, for the service or identity. For example, process 200 can determine if the service or identity is used in a production, stage, development deployment(s).
- the namespace attribute can be defied by the customer. Additionally, it can be inferred from an existing tag in the service/identity metadata.
- FIG. 5 illustrates an example screenshot 500 showing an equation used to define summary attributes for each service/identity discovered in the detailed access graph, according to some embodiments.
- process 200 can generate summarized access graph from outputs of steps 202 and 204 .
- summarized access graph can be generate using the equation of FIG. 6 , according to some embodiments.
- FIG. 7 illustrates an example access graph, according to some embodiments.
- the edges of the access graph can be associated with the operation performed by a service or an identity on a data asset (e.g. captured as the color of the edge in the underlying access graph).
- Access graph identifies what kind of the operation does the service/identity makes on the data asset.
- Operations can be, inter alia: create, read, list, write, delete, uncategorized, etc.
- Examples indicates that what could not determine semantics of the operation.
- Access graph 700 includes an AWS Lambda L 1 702 function that reads from a HTTP endpoint D 1 708 , processes the data, and writes to an S3 bucket D 2 710 (e.g. using Roles R 1 and R 2 704 and 706 respectively).
- FIG. 8 illustrates an example summarized access graph 800 , according to some embodiments.
- Summarized access graph 800 can be generated from the same context as access graph 700 .
- Summarized access graph 800 includes nodes 802 and 804 . It is noted that both data assets are low-critical containing non anonymized non-public data (e.g. accessible only by the enterprise) in the clear.
- Lambda L 1 702 can use a system identity with restrictive access that is specific for Lambda L 1 702 .
- Summarized access graph 800 can be generated from example access graph 700 .
- a low-risk service/identity assumes a system identity that is restrictive and specific for that service to read a low critical data assert containing non-anonymized non-public data (e.g. accessible only by the enterprise) in the clear.
- a low-risk service/identity assumes a system identity that is restrictive and specific for that service to write a low critical data assert containing non-anonymized/non-public data (accessible only by the enterprise) in the clear.
- FIG. 9 illustrates an alternative summarized access graph 900 , according to some embodiments.
- Summarized access graph 900 can include nodes 902 - 906 .
- Lambda L 1 702 uses a restrictive identity to read and a broader identity that allows write access to more that one bucket to write the data.
- summarized access graph 900 can be generated for access graph 700 . It is noted that when a drill-down is performed on a service graph, it can expand to the detailed access graph representing the actual services/identities and data assets that are involved in the particular subgraph of SG that was selected for the drill-down.
- RC graph or the multi-dimensional model can be used to represent many use cases.
- a set of data stores e.g. RDS, DynamoDB, etc.
- RDS DynamoDB
- these stores should be encrypted and no outside VPC access to these stores.
- a new API token can be provided on a new path alert when the request/response involves sensitive information (PII, Company Confidential, Code, Patents).
- the RC graph dimensions can be used to represent this issue.
- a set of data stores e.g. RDS, DynamoDB, etc.
- the store can be encrypted such that no outside VPC access to these stores is available.
- a new API token can be seen on a new path alert only when the request/response involves sensitive information (e.g. PII, Company Confidential, Code, Patents).
- sensitive information e.g. PII, Company Confidential, Code, Patents.
- the four (4) dimensional layers can be: access identity (e.g. Supreeth, Aria, Ravi, Core Banking); API path (/employee/add, /employee/list, /vendors/new); service (e.g. API Gateway—AG01, S3-S01); sensitivity (PII, Code, Patents, Financial information); etc.
- the various operations, processes, and methods disclosed herein can be embodied in a machine-readable medium and/or a machine accessible medium compatible with a data processing system (e.g., a computer system), and can be performed in any order (e.g., including using means for achieving the various operations). Accordingly, the specification and drawings are to be regarded in an illustrative rather than a restrictive sense.
- the machine-readable medium can be a non-transitory form of machine-readable medium.
Abstract
A computerized method for implementing risk discovery with a set of unified security and privacy policies, includes the step of discovering a set of data and a set of data accesses within an enterprise computing system. The method includes the step of classifying the set of discovered data and the set of data accesses with an identification that shows which of the data assets are important or critical for the enterprise. The method includes the step of determining which of the set of discovered data and the set of data accesses have or are associated with sensitive information. The method includes the step of placing the set of discovered data and the set of data accesses that are associated with sensitive information into a set of discovered information about the infrastructure. The method includes the step of determining which of the set of discovered data and the set of data accesses are relevant in the context of a specified governmental data privacy regulation. The method includes the step of placing the set of discovered data and the set of data accesses that are relevant in the context of a specified governmental data privacy regulation into a set of discovered information about the infrastructure. The method includes the step of, with the set of discovered information about the infrastructure, mapping the set of discovered information about the infrastructure to a set of deterministic dimensions.
Description
- This application claims priority to U.S. Provisional Patent Application No. 63/153,362, filed on 24 Feb. 2021 and titled DATA PRIVACY AND ZERO TRUST SECURITY CENTERED AROUND DATA AND ACCESS, ALONG WITH AUTOMATED POLICY GENERATION AND RISK ASSESSMENTS. This provisional patent application is incorporated herein by reference in its entirety.
- This application related to cloud-platform security and more specifically to an implementing risk discovery with unified security and privacy policies with summarized access graphs.
- New regulations are currently being applied to data security and data privacy. For example, the European Union (EU) has implemented the General Data Protection Regulation (GDPR) for citizens/residents of the EU. Likewise, the state of California has the California Consumer Privacy Act (CCPA) to enhance privacy rights and consumer protection for residents of California. These new laws and regulations have financial penalties for entities that infringe consumer privacy and data rules. Accordingly, there is now a financial incentive to avoid the financial burden of violating data privacy regulations.
- At the same time, innovations in cloud-computing technology have made various previous technologies for protecting data privacy obsolete or anachronistic. For example, using firewalls based on IP based addresses etc. no longer makes sense in some current contexts. Accordingly, improvements to data privacy and data security policies, and automated risk assessments are desired.
- A computerized method for implementing risk discovery with a set of unified security and privacy policies, includes the step of discovering a set of data and a set of data accesses within an enterprise computing system. The method includes the step of classifying the set of discovered data and the set of data accesses with an identification that shows which of the data assets are important or critical for the enterprise. The method includes the step of determining which of the set of discovered data and the set of data accesses have or are associated with sensitive information. The method includes the step of placing the set of discovered data and the set of data accesses that are associated with sensitive information into a set of discovered information about the infrastructure. The method includes the step of determining which of the set of discovered data and the set of data accesses are relevant in the context of a specified governmental data privacy regulation. The method includes the step of placing the set of discovered data and the set of data accesses that are relevant in the context of a specified governmental data privacy regulation into a set of discovered information about the infrastructure. The method includes the step of, with the set of discovered information about the infrastructure, mapping the set of discovered information about the infrastructure to a set of deterministic dimensions.
-
FIG. 1 illustrates an example process for implementing risk discovery with unified security and privacy policies, according to some embodiments. -
FIG. 2 illustrates another process for RC graph implementation, according to some embodiments. -
FIGS. 3 and 4 illustrate example equations that can be used to implementprocess 200, according to some embodiments. -
FIG. 5 illustrates an example screenshot showing an equation used to define summary attributes for each service/identity discovered in the detailed access graph, according to some embodiments. - A summarized access graph can be generate using the equation of
FIG. 6 , according to some embodiments. -
FIG. 7 illustrates an example access graph, according to some embodiments. -
FIG. 8 illustrates an example summarized access graph, according to some embodiments. -
FIG. 9 illustrates an alternative summarizedaccess graph 900, according to some embodiments. - The Figures described above are a representative set and are not exhaustive with respect to embodying the invention.
- Disclosed are a system, method, and article for implementing a multi-dimensional unified security and privacy policy with summarized access graphs. The following description is presented to enable a person of ordinary skill in the art to make and use the various embodiments. Descriptions of specific devices, techniques, and applications are provided only as examples. Various modifications to the examples described herein can be readily apparent to those of ordinary skill in the art, and the general principles defined herein may be applied to other examples and applications without departing from the spirit and scope of the various embodiments.
- Reference throughout this specification to ‘one embodiment,’ ‘an embodiment,’ ‘one example,’ or similar language means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrases ‘in one embodiment,’ ‘in an embodiment,’ and similar language throughout this specification may, but do not necessarily, all refer to the same embodiment.
- Furthermore, the described features, structures, or characteristics of the invention may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided, such as examples of programming, software modules, user selections, network transactions, database queries, database structures, hardware modules, hardware circuits, hardware chips, etc., to provide a thorough understanding of embodiments of the invention. One skilled in the relevant art can recognize, however, that the invention may be practiced without one or more of the specific details, or with other methods, components, materials, and so forth. In other instances, well-known structures, materials, or operations are not shown or described in detail to avoid obscuring aspects of the invention.
- The schematic flow chart diagrams included herein are generally set forth as logical flow chart diagrams. As such, the depicted order and labeled steps are indicative of one embodiment of the presented method. Other steps and methods may be conceived that are equivalent in function, logic, or effect to one or more steps, or portions thereof, of the illustrated method. Additionally, the format and symbols employed are provided to explain the logical steps of the method and are understood not to limit the scope of the method. Although various arrow types and line types may be employed in the flow chart diagrams, and they are understood not to limit the scope of the corresponding method. Indeed, some arrows or other connectors may be used to indicate only the logical flow of the method. For instance, an arrow may indicate a waiting or monitoring period of unspecified duration between enumerated steps of the depicted method. Additionally, the order in which a particular method occurs may or may not strictly adhere to the order of the corresponding steps shown.
- Example definitions for some embodiments are now provided.
- Application programming interface (API) can be a computing interface that defines interactions between multiple software intermediaries. An API can define the types of calls and/or requests that can be made, how to make them, the data formats that should be used, the conventions to follow, etc. An API can also provide extension mechanisms so that users can extend existing functionality in various ways and to varying degrees.
- Application programming interface key (API key) can be a unique identifier used to authenticate a user, developer, or calling program to an API. An API key can be used to authenticate a service with the API rather than a human user.
- California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California.
- Dark web is the World Wide Web content that exists on darknets: overlay networks that use the Internet but require specific software, configurations, or authorization to access.
- Deep learning can include various machine learning methods (see infra) based on artificial neural networks with representation learning. Deep learning can be supervised, semi-supervised or unsupervised.
- Deterministic dimensions can be a summarized grain of attributes. The deterministic nature of these dimensions are due to the fact that the cardinality of these attributes can be fixed. The intent that is expressed in a set of specified deterministic dimensions can be pre-known/pre-determined.
- Distributed version control systems can include Internet hosting for software development and version control. The distributed version-control system can track changes in any set of files. The distributed version-control system can be designed for coordinating work among programmers cooperating on source code during software development.
- General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA).
- JSON (JavaScript Object Notation) is an open standard file format, and data interchange format, that uses human-readable text to store and transmit data objects consisting of attribute-value pairs and array data types (and/or any other serializable value).
- Machine learning (ML) can use statistical techniques to give computers the ability to learn and progressively improve performance on a specific task with data, without being explicitly programmed. Machine learning is a type of artificial intelligence (AI) that provides computers with the ability to learn without being explicitly programmed. Machine learning focuses on the development of computer programs that can teach themselves to grow and change when exposed to new data. Example machine learning techniques that can be used herein include, inter alia: decision tree learning, association rule learning, artificial neural networks, inductive logic programming, support vector machines, clustering, Bayesian networks, reinforcement learning, representation learning, similarity, and metric learning, and/or sparse dictionary learning.
- Named-entity recognition (NER) can be a subtask of information extraction that seeks to locate and classify named entities mentioned in unstructured text into pre-defined categories.
- Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.
- Open Policy Agent (OPA) can be a general-purpose policy engine with uses ranging from authorization and admission control to data filtering. OPA can provide a unified toolset and framework for policy across the cloud native stack.
- Personal data (PII) can be personally identifiable information. PII data can be information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in a specified context.
- Risk criticality (RC) can include quantifying the possibility of a service or data being subject to an attack or being a victim of a breach. Criticality can be a measure of sensitivity of data, measured by buckets (e.g. high, medium, low) which can include “code”, PII, personal data, patents, etc.
- Runtime application self-protection (RASP) is a security technology that uses runtime instrumentation to detect and block computer attacks by taking advantage of information from inside the running software.
- Sankey diagrams are a type of flow diagram in which the width of the arrows is proportional to the flow rate.
- Sensitive information is something that scores high in sensitivity like PII data of data subjects, code, patents, personnel information, keys, certifications etc.
- Shift-left testing can be an approach to software testing and system testing in which testing is performed earlier in the life cycle of software development.
- Software as a service (SaaS) is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted.
- Discovery and Unified Security and Privacy Policies
- Example methods can be used to express policy intent around risk, criticality in a multi-dimensional representation and a translation framework for the same to OPA for security policy purposes. For example, example methods can enable a multi-dimensional risk-criticality (RC) representation of enterprise data assets. Based off automated discovery, the RC Graph can be built from the scanned infrastructure. The RC graph can enable enterprises to represent their assets using the deterministic dimensions that the RC Graph can represent with. Additionally, examples of the dimensions that comprise this multi-dimensional representation are discussed infra.
-
FIG. 1 illustrates anexample process 100 for implementing risk discovery with unified security and privacy policies, according to some embodiments.Process 100 provides an RC graph implementation and method to determine a set of deterministic dimensions. Instep 102,process 100 discovers data and data access within an enterprise. Instep 104,process 100 classifies the discovered data to help the enterprises identify which of the data assets are important or critical for the enterprise. Step 104 can be used to determine which of the data assets have sensitive information. Step 104 can be used to determine which of the data assets and access are important in the context of regulation. - In
step 106, from the discovered information about the infrastructure,process 100 can map the info to the deterministic dimensions. In one example, this can be a list of 32 deterministic dimensions (e.g. discussed infra). Instep 108,process 100 can let/enable the user/enterprise to express the intent and/or enterprise assets from the specified deterministic dimensions to represent a policy or intent. As noted, in some examples, this can be the thirty-two (32) dimensions discussed infra. - In
step 110,process 100 can generate a unified privacy/security OPA policy. This policy can assist enterprises to maintain a desired posture with respect to applicable regulations. - In one example,
process 100 can enable a single policy for security and policy Privacy based policy posture for data/zero trust protection.Process 100 can continuously arm an enterprise with a policy that can help with maintaining a posture for a privacy regulation article (e.g. GDPR, CCPA, CIS AWS, CPRA, etc.).Process 100 can provide policy materialization and enforcement.Process 100 can generate a privacy policy (e.g. as a Rego expressed OPA policy, etc.).Process 100 can materialize a privacy policy so that it can be pushed to K8, Kafka, etc. as OPA policies. - An example discussion of various deterministic dimensions is now provided. It is noted that these deterministic dimensions are provided by way of example and not of limitation. Accordingly, other example deterministic inventions can be utilized in other examples. A Data Store (e.g. DS1, DS2, DS3) can be an example deterministic dimension.
- An Access Frequency (e.g. minutes, hourly, daily, weekly, monthly, random (e.g. more than once but no fixed pattern), one time, etc.) can be an example deterministic dimension.
- An Electronic Identity (e.g. yes, no) (e.g. person or system) can be an example deterministic dimension.
- A Role Privileges (e.g. root, open or restrictive access (e.g. are all the permissions being used or there is over provisioning), etc.) can be an example deterministic dimension.
- A Multi Service Role (e.g. yes, no) (e.g. specific or multiple (can the role be used to access more than one service)) can be an example deterministic dimension.
- A PII-NERs (e.g. name, national id, date of birth (DoB), address, etc.) can be an example deterministic dimension.
- A sensitivity status (e.g. personal, code, patents, financial information) (e.g. PII, secrets/keys, personal data, healthcare data/medical record numbers (MRNs), intellectual property—code, patent, financial data, etc.) can be an example deterministic dimension.
- An anonymization status (e.g. not anonymized, pseudo anonymized, not applicable (example for non-personal data), etc.) can be an example deterministic dimension.
- An access status (e.g. public, enterprise, account, virtual private cloud (VPC), signed access, etc.) can be an example deterministic dimension.
- An MFA status (e.g. yes, no, not applicable) can be an example deterministic dimension.
- A SaaS status (e.g. Github, Gitlab, SN, SFDC) can be an example deterministic dimension.
- An API access status (e.g. Yes, No) can be an example deterministic dimension.
- A Keys Managed by a key management service (KMS) status (e.g. Amazon Web Services (AWS), HashiCorp-Vault, Azure, GCP, Other) can be an example deterministic dimension.
- A Role status (e.g. Access Identity's Role) (e.g. HR, Payroll, Engineering Mgr, Core Banking (Electronic Identity) Role, etc.) can be an example deterministic dimension.
- An API Path (e.g. /employee/add, /employee/list, /vendors/list/, /reports/list, etc.) can be an example deterministic dimension.
- A Service status (e.g. API Gateway—AG01, S3-S01) can be an example deterministic dimension.
- An Access Identity (e.g. Supreeth, Aria, Ravi, Core Banking) can be an example deterministic dimension.
- A Service status (e.g. API Gateway—AG01, S3-501) can be an example deterministic dimension.
- An Encrypted status (e.g. Yes, No) can be an example deterministic dimension.
- An Access status (e.g. Public, Enterprise, Account, VPC) can be an example deterministic dimension.
- An Access Logging Level (e.g. Info logging enabled, Secrets/PH leaking in logs, etc.) can be an example deterministic dimension.
- A Storage Delete Protection status can be an example deterministic dimension.
- A Last Access Time (e.g. Data Minimization) (e.g. 30 days, Last Qtr, Last six months, Year, 5 years, etc.) can be an example deterministic dimension.
- A Dark Web status (e.g. Data Seen On Darkweb (Pastebin, etc.), Interest Noted On Dark Web, etc.) can be an example deterministic dimension.
- An Access Location (e.g. USA, Germany, India) can be an example deterministic dimension.
- A Subject Residency (e.g. Germany, India, USA, UK) can be an example deterministic dimension.
- A Service Location status (e.g. Primary Location (US-east-1a, US-east, US-east-2a), Backup Location (US-west-1a, US-west, US-west-2a), etc.) can be an example deterministic dimension.
- A Vendor/Vendor Location (e.g. US-east-1a, US-east, US-east-2a) can be an example deterministic dimension.
- A Data Location (e.g. Primary Location (US-east-1a, US-east, US-east-2a); Backup Location (US-west-1a, US-west, US-west-2a); etc.) can be an example deterministic dimension.
- A Service Image Posture (e.g. How: AMI/Container Image Registry Scan) can be an example deterministic dimension. This can include any Vulnerabilities Levels Present (e.g. Critical [9, 10], High [7, 9), Medium [4, 7), Low [0.1, 4), etc.). This can include Cipher Suites (e.g. Scanner Integration—Qualys/Nessus/AWS Inspector/ . . . ). This can include vulnerabilities exploited (e.g. RASP integration).
- A File Malware Scan (e.g. of S3, Box, etc.) can be an example deterministic dimension.
- A Risk level (e.g. High Medium Low) (e.g. driven by a known template, like PII data, or exposed to the internet or likes, which customers can customize if need be) can be an example deterministic dimension.
-
FIG. 2 illustrates anotherprocess 200 for RC graph implementation, according to some embodiments. It is noted thatprocess 200 can be utilized byprocess 100 and/or vice versa in various embodiments. - In
step 202,process 200 can define data assets.Process 200 can define summary attributes for each data asset. For example,process 200 can use the following categories for summarization. This can include a criticality value. The criticality value can determine how critical is a data asset to the organization. There can be three levels of criticality: high, medium, low.Process 200 can use a region value (e.g. determine where the data asset is located; etc.).Process 200 can use a protection status value (e.g. determine the data asset protected using encryption; determine if it kept in clear-text; etc.). -
Process 200 can use a privacy value (e.g. Does the data asset anonymize PII data; etc.).Process 200 can examine PII entities, categories, etc.Process 200 can use an access value (e.g. Does the data asset contain personal information; Does it contain confidential information; etc.). - An example list of summarized values for access types of a data asset is now provided. This can include, inter alia: Public; Non-Public (e.g. personal information (PI) (e.g. user data); confidential insider enterprise only; partner only; vendor-only; namespace; etc.). Furthermore,
process 200 can determine if the organization associates a tag, such as a scope or a namespace, for the data asset. For example,process 200 can determine if the asset used in production, stage, and/or development deployments. This namespace attribute can be defined by the customer. Also, this could be inferred from an existing tag in the data asset metadata.FIGS. 3 and 4 illustrate example screen shots ofequations Equation 300 can provide an access graph.Equation 400 can be used to generate the access graph, and can be defined as: d1,T(d1). - In
step 204,process 200 can define summary attributes for each service/identity discovered in the detailed access graph.Process 200 can define summary attributes for each service/identity discovered in the detailed access graph. These attributes can be specific to each data asset that the service/identity is accessing. The following categories can be used for summarization.Process 200 can use a risk value (e.g. determine if there a risk associated with the service/identity.Process 200 can use three levels of risk quantification: high, medium, low. -
Process 200 can use a region value (e.g. determine a region where the service is located).Process 200 can assume role constraints (e.g. determine a type of identity that is used to access the data asset; determine if there is a person identity or a system; etc.). -
Process 200 can use an API/key based identity. For example, the following can be a list of summarized values for this attribute: person or system open or restrictive access specific or multiple (not instances of the same service). -
Process 200 can use a frequency value (e.g. determine the frequency of access; determine if an event occurs periodically (e.g. scheduled) or randomly (e.g. from an API call)). -
Process 200 can use a namespace value. Forexample process 200 can determine if the organization associates a tag, such as a scope or a namespace, for the service or identity. For example,process 200 can determine if the service or identity is used in a production, stage, development deployment(s). The namespace attribute can be defied by the customer. Additionally, it can be inferred from an existing tag in the service/identity metadata. -
FIG. 5 illustrates anexample screenshot 500 showing an equation used to define summary attributes for each service/identity discovered in the detailed access graph, according to some embodiments. For example, in the above example access graph, a1,B(a1,d1) for service a1 accessing can be defined as follows: B(a1,d1)=[<low, us-west-1, system-open-specific, periodic, prod>]. - In step 206
process 200 can generate summarized access graph from outputs ofsteps FIG. 6 , according to some embodiments. -
FIG. 7 illustrates an example access graph, according to some embodiments. It is noted that the edges of the access graph can be associated with the operation performed by a service or an identity on a data asset (e.g. captured as the color of the edge in the underlying access graph). Access graph identifies what kind of the operation does the service/identity makes on the data asset. Operations can be, inter alia: create, read, list, write, delete, uncategorized, etc. Uncategorized indicates that what could not determine semantics of the operation. - More specifically,
example access graph 700 is illustrated.Access graph 700 includes anAWS Lambda L 1 702 function that reads from a HTTP endpoint D1 708, processes the data, and writes to an S3 bucket D2 710 (e.g. using Roles R1 andR -
FIG. 8 illustrates an example summarizedaccess graph 800, according to some embodiments. Summarizedaccess graph 800 can be generated from the same context asaccess graph 700. Summarizedaccess graph 800 includesnodes Lambda L 1 702 can use a system identity with restrictive access that is specific forLambda L 1 702. Summarizedaccess graph 800 can be generated fromexample access graph 700. - Based on summarized
access graph 800, h some illustrative examples of access patterns are provided. In the PROD namespace, a low-risk service/identity assumes a system identity that is restrictive and specific for that service to read a low critical data assert containing non-anonymized non-public data (e.g. accessible only by the enterprise) in the clear. Likewise, in the PROD namespace, a low-risk service/identity assumes a system identity that is restrictive and specific for that service to write a low critical data assert containing non-anonymized/non-public data (accessible only by the enterprise) in the clear. -
FIG. 9 illustrates an alternative summarizedaccess graph 900, according to some embodiments. Summarizedaccess graph 900 can include nodes 902-906. As an alternative setup, consider thatLambda L 1 702 uses a restrictive identity to read and a broader identity that allows write access to more that one bucket to write the data. Again, summarizedaccess graph 900 can be generated foraccess graph 700. It is noted that when a drill-down is performed on a service graph, it can expand to the detailed access graph representing the actual services/identities and data assets that are involved in the particular subgraph of SG that was selected for the drill-down. - RC graph or the multi-dimensional model can be used to represent many use cases. Three illustrative examples are now discussed. A set of data stores (e.g. RDS, DynamoDB, etc.) may include PII information. Accordingly, these stores should be encrypted and no outside VPC access to these stores. In another example, there may data access from outside the location of an AWS, GCP or Azure region. Accordingly, there may be a need to block such an access at an API gateway. In another example, a new API token can be provided on a new path alert when the request/response involves sensitive information (PII, Company Confidential, Code, Patents).
- The RC graph dimensions can be used to represent this issue. For a set of data stores (e.g. RDS, DynamoDB, etc.) if there is any PII information in these stores, the store can be encrypted such that no outside VPC access to these stores is available. There can be four (4) dimensional layers in this example: data store (e.g. DS1, DS2, DS3); sensitivity (e.g. PII, code, patents, financial information); encrypted (e.g. yes, no); access (e.g. public, enterprise, account, VPC); etc.
- It can be determined if there is data access into a VPC happening from outside the location of an AWS or GCP or Azure region. This access can be blocked at an API gateway. There can be three dimensional layers in this example: cloud provider (AWS, GCP, Azure, Oracle, IBM); region (US-West-2, us-west?-b, us-westl-a, west US 2); service (API Gateway—AGO?, S3-S01). Here, the service is the service which the access from an outside cloud provider is accessing.
- In another example, a new API token can be seen on a new path alert only when the request/response involves sensitive information (e.g. PII, Company Confidential, Code, Patents). Here the four (4) dimensional layers can be: access identity (e.g. Supreeth, Aria, Ravi, Core Banking); API path (/employee/add, /employee/list, /vendors/new); service (e.g. API Gateway—AG01, S3-S01); sensitivity (PII, Code, Patents, Financial information); etc.
- Although the present embodiments have been described with reference to specific example embodiments, various modifications and changes can be made to these embodiments without departing from the broader spirit and scope of the various embodiments. For example, the various devices, modules, etc. described herein can be enabled and operated using hardware circuitry, firmware, software or any combination of hardware, firmware, and software (e.g., embodied in a machine-readable medium).
- In addition, it can be appreciated that the various operations, processes, and methods disclosed herein can be embodied in a machine-readable medium and/or a machine accessible medium compatible with a data processing system (e.g., a computer system), and can be performed in any order (e.g., including using means for achieving the various operations). Accordingly, the specification and drawings are to be regarded in an illustrative rather than a restrictive sense. In some embodiments, the machine-readable medium can be a non-transitory form of machine-readable medium.
Claims (11)
1. A computerized method for implementing risk discovery with a set of unified security and privacy policies, comprising:
discovering a set of data and a set of data accesses within an enterprise computing system;
classifying the set of discovered data and the set of data accesses with an identification that shows which of the data assets are important or critical for the enterprise by:
determining which of the set of discovered data and the set of data accesses have or are associated with sensitive information,
placing the set of discovered data and the set of data accesses that are associated with sensitive information into a set of discovered information about the infrastructure,
determining which of the set of discovered data and the set of data accesses are relevant in the context of a specified governmental data privacy regulation,
placing the set of discovered data and the set of data accesses that are relevant in the context of a specified governmental data privacy regulation into a set of discovered information about the infrastructure; and
with the set of discovered information about the infrastructure, mapping the set of discovered information about the infrastructure to a set of deterministic dimensions.
2. The computerized method of claim 1 , further comprising:
enabling the enterprise to select a subset of deterministic dimensions from the set deterministic dimensions to represent a policy or intent.
3. The computerized method of claim 2 , further comprising:
providing an Open Policy Agent (OPA) as a general-purpose policy engine that implements a set of authorization and admission control to data filtering operations based on the selected subset of deterministic dimensions.
4. The computerized method of claim 2 , further comprising:
generating a unified privacy and security OPA policy, wherein the unified privacy and security OPA policy assists enterprises to maintain a desired posture with respect to the specified governmental regulations.
5. The computerized method of claim 4 , wherein there are thirty-two (32) deterministic dimensions.
6. The computerized method of claim 5 , further comprising:
generating a Risk criticality (RC) graph based on the subset of deterministic dimensions.
7. The computerized method of claim 6 , wherein the governmental regulation comprises the General Data Protection Regulation (GDPR).
8. The computerized method of claim 6 , wherein the governmental regulation comprises the California Consumer Privacy Act (CCPA).
9. The computerized method of claim 10 , wherein the RC graph quantifies a risk of a service or a data being subject to a cyber attack.
10. The computerized method of claim 1 , wherein a deterministic dimension has a cardinality of fixed attributes.
11. The computerized method of claim 10 , wherein an intent expressed by a specified set of deterministic dimensions is pre-defined.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/205,966 US20220269792A1 (en) | 2021-02-24 | 2021-03-18 | Implementing a multi-dimensional unified security and privacy policy with summarized access graphs |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US202163153362P | 2021-02-24 | 2021-02-24 | |
US17/205,966 US20220269792A1 (en) | 2021-02-24 | 2021-03-18 | Implementing a multi-dimensional unified security and privacy policy with summarized access graphs |
Publications (1)
Publication Number | Publication Date |
---|---|
US20220269792A1 true US20220269792A1 (en) | 2022-08-25 |
Family
ID=82900771
Family Applications (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/205,966 Abandoned US20220269792A1 (en) | 2021-02-24 | 2021-03-18 | Implementing a multi-dimensional unified security and privacy policy with summarized access graphs |
US17/335,932 Pending US20220269815A1 (en) | 2021-02-24 | 2021-06-01 | Methods and systems for prevention of vendor data abuse |
US17/527,466 Pending US20220272111A1 (en) | 2021-02-24 | 2021-11-16 | Cloud-platform push for known data breaches |
Family Applications After (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/335,932 Pending US20220269815A1 (en) | 2021-02-24 | 2021-06-01 | Methods and systems for prevention of vendor data abuse |
US17/527,466 Pending US20220272111A1 (en) | 2021-02-24 | 2021-11-16 | Cloud-platform push for known data breaches |
Country Status (1)
Country | Link |
---|---|
US (3) | US20220269792A1 (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150326594A1 (en) * | 2014-05-06 | 2015-11-12 | International Business Machines Corporation | Network data collection and response system |
US20180375892A1 (en) * | 2017-06-23 | 2018-12-27 | Ido Ganor | Enterprise cyber security risk management and resource planning |
US20200057864A1 (en) * | 2018-08-17 | 2020-02-20 | Mentis Inc | System and method for data classification centric sensitive data discovery |
US20200110894A1 (en) * | 2018-10-05 | 2020-04-09 | Optum, Inc. | Methods, apparatuses, and systems for data rights tracking |
US20220050828A1 (en) * | 2020-08-17 | 2022-02-17 | Lucidum, Inc. | Asset discovery data classification and risk evaluation |
Family Cites Families (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9722895B1 (en) * | 2013-11-08 | 2017-08-01 | Skyhigh Networks, Inc. | Vendor usage monitoring and vendor usage risk analysis system |
US9443112B2 (en) * | 2014-05-23 | 2016-09-13 | Bank Of America Corporation | Secure media container |
US20160140466A1 (en) * | 2014-11-14 | 2016-05-19 | Peter Sidebottom | Digital data system for processing, managing and monitoring of risk source data |
US10037425B2 (en) * | 2015-08-26 | 2018-07-31 | Symantec Corporation | Detecting suspicious file prospecting activity from patterns of user activity |
US10868832B2 (en) * | 2017-03-22 | 2020-12-15 | Ca, Inc. | Systems and methods for enforcing dynamic network security policies |
US10178096B2 (en) * | 2017-03-31 | 2019-01-08 | International Business Machines Corporation | Enhanced data leakage detection in cloud services |
US11386343B2 (en) * | 2017-05-09 | 2022-07-12 | Elasticsearch B.V. | Real time detection of cyber threats using behavioral analytics |
US10812521B1 (en) * | 2018-08-10 | 2020-10-20 | Amazon Technologies, Inc. | Security monitoring system for internet of things (IOT) device environments |
US11228612B2 (en) * | 2019-03-28 | 2022-01-18 | International Business Machines Corporation | Identifying cyber adversary behavior |
US11516228B2 (en) * | 2019-05-29 | 2022-11-29 | Kyndryl, Inc. | System and method for SIEM rule sorting and conditional execution |
US11405207B2 (en) * | 2019-07-31 | 2022-08-02 | The Toronto-Dominion Bank | Dynamic implementation and management of hash-based consent and permissioning protocols |
US11399041B1 (en) * | 2019-11-22 | 2022-07-26 | Anvilogic, Inc. | System for determining rules for detecting security threats |
US11470047B1 (en) * | 2019-11-29 | 2022-10-11 | Amazon Technologies, Inc. | Managed virtual networks for computing cloud edge locations |
US10917401B1 (en) * | 2020-03-24 | 2021-02-09 | Imperva, Inc. | Data leakage prevention over application programming interface |
US11722522B2 (en) * | 2020-08-07 | 2023-08-08 | Zscaler, Inc. | Cloud security posture management systems and methods with a cloud-based system |
US11470159B2 (en) * | 2020-08-28 | 2022-10-11 | Cisco Technology, Inc. | API key security posture scoring for microservices to determine microservice security risks |
US11848949B2 (en) * | 2021-01-30 | 2023-12-19 | Netskope, Inc. | Dynamic distribution of unified policies in a cloud-based policy enforcement system |
-
2021
- 2021-03-18 US US17/205,966 patent/US20220269792A1/en not_active Abandoned
- 2021-06-01 US US17/335,932 patent/US20220269815A1/en active Pending
- 2021-11-16 US US17/527,466 patent/US20220272111A1/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150326594A1 (en) * | 2014-05-06 | 2015-11-12 | International Business Machines Corporation | Network data collection and response system |
US20180375892A1 (en) * | 2017-06-23 | 2018-12-27 | Ido Ganor | Enterprise cyber security risk management and resource planning |
US20200057864A1 (en) * | 2018-08-17 | 2020-02-20 | Mentis Inc | System and method for data classification centric sensitive data discovery |
US20200110894A1 (en) * | 2018-10-05 | 2020-04-09 | Optum, Inc. | Methods, apparatuses, and systems for data rights tracking |
US20220050828A1 (en) * | 2020-08-17 | 2022-02-17 | Lucidum, Inc. | Asset discovery data classification and risk evaluation |
Also Published As
Publication number | Publication date |
---|---|
US20220269815A1 (en) | 2022-08-25 |
US20220272111A1 (en) | 2022-08-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11178182B2 (en) | Automated access control management for computing systems | |
US11785104B2 (en) | Learning from similar cloud deployments | |
US11368476B2 (en) | Data-defined architecture for network data management | |
US20200084242A1 (en) | Systems and methods for blockchain security data intelligence | |
US20230032686A1 (en) | Using real-time monitoring to inform static analysis | |
US11894984B2 (en) | Configuring cloud deployments based on learnings obtained by monitoring other cloud deployments | |
KR102542720B1 (en) | System for providing internet of behavior based intelligent data security platform service for zero trust security | |
US20230075355A1 (en) | Monitoring a Cloud Environment | |
US11770398B1 (en) | Guided anomaly detection framework | |
US20220279004A1 (en) | Facilitating developer efficiency and application quality | |
US11539751B2 (en) | Data management platform | |
US11381587B2 (en) | Data segmentation | |
Atzeni et al. | Countering android malware: A scalable semi-supervised approach for family-signature generation | |
US20230275917A1 (en) | Identifying An Attack Surface Of A Cloud Deployment | |
US20230319092A1 (en) | Offline Workflows In An Edge-Based Data Platform | |
Ávila et al. | Use of security logs for data leak detection: a systematic literature review | |
Billawa et al. | Sok: Security of microservice applications: A practitioners’ perspective on challenges and best practices | |
Goel et al. | Privacy-breaching patterns in NoSQL databases | |
Manikandakumar et al. | Security and Privacy Challenges in Big Data Environment | |
Demissie et al. | Assessing the Effectiveness of the Shared Responsibility Model for Cloud Databases: The Case of Google’s Firebase | |
US11818156B1 (en) | Data lake-enabled security platform | |
Khan et al. | Database intrusion detection systems (dids): Insider threat detection via behaviour-based anomaly detection systems-a brief survey of concepts and approaches | |
US20220269792A1 (en) | Implementing a multi-dimensional unified security and privacy policy with summarized access graphs | |
Gnatyuk et al. | Cloud-Based Cyber Incidents Response System and Software Tools | |
Shivakumara et al. | Review Paper on Dynamic Mechanisms of Data Leakage Detection and Prevention |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |