WO2015099607A1 - An integrated access control and identity management system - Google Patents

An integrated access control and identity management system Download PDF

Info

Publication number
WO2015099607A1
WO2015099607A1 PCT/SG2014/000192 SG2014000192W WO2015099607A1 WO 2015099607 A1 WO2015099607 A1 WO 2015099607A1 SG 2014000192 W SG2014000192 W SG 2014000192W WO 2015099607 A1 WO2015099607 A1 WO 2015099607A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
user
access control
information
criterion
Prior art date
Application number
PCT/SG2014/000192
Other languages
French (fr)
Inventor
Tiong Hwee YONG
Poh Beng Tan
Tye San YAP
Melattur S CHANDRASEKARAN
Honching Lui
Original Assignee
Certis Cisco Security Pte Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Certis Cisco Security Pte Ltd filed Critical Certis Cisco Security Pte Ltd
Priority to SG11201602975YA priority Critical patent/SG11201602975YA/en
Priority to CN201480065011.6A priority patent/CN106104548B/en
Priority to AU2014370501A priority patent/AU2014370501A1/en
Publication of WO2015099607A1 publication Critical patent/WO2015099607A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2111Location-sensitive, e.g. geographical location, GPS

Definitions

  • the present invention relates to an integrated access control system for controlling access to at least an IT resource by a person, and to a method of controlling access to at least an IT resource by a person.
  • access by persons through any one of a plurality of doors is controlled by providing each door with a credential reader for gathering one or more credentials from a person, such as a pin number, biometric information or an ID number stored on a card, and verifying the .
  • IT access control may be
  • gateway device associated with the IT resource, or may be implemented at least in part using a separate gateway device that
  • an access control system comprising:
  • an IT access control unit arranged to monitor attempts to access an IT resource by a person
  • the IT access control unit arranged to determine whether and the extent to which access should be granted to a user based on the stored access criteria
  • the stored access criteria are arranged such that an identity criterion indicative of the identity of the user able to access the IT resource, a location criterion indicative of the location from which the user is allowed to access the IT resource, a time criterion indicative of the time at which the user is allowed to access the IT resource, a type criterion indicative of the type of IT resource that the user is allowed to access, and/or an access level criterion indicative of the level of access authority given to the user are definable in the stored access criteria.
  • the system comprises a physical access control unit arranged to monitor attempts to physically access an area by a person. In one embodiment, the system comprises an access
  • the system being arranged to store in the access_info ⁇ m ⁇ ti ⁇ n ⁇ J: ⁇ J age ⁇ eyice_ __acces_s ⁇ information indicative of access attempts monitored by the IT and physical access control units.
  • the identity criterion, the location criterion, the time criterion,- the type criterion, and the access level criterion are all defined in the stored access criteria for at least one user associated with the system.
  • the IT resource comprises at least one software application and/or data stored in at least one data storage device.
  • the time criterion is indicative of the duration of time during which a user is allowed to access the IT resource.
  • the. type criterion is indicative of one or more storage locations that the user is allowed to access, and/or one or more software applications that the user is allowed to access, and/or one or more data types that the user is allowed to access .
  • the type criterion is a trust level criterion indicative of the maximum level of sensitivity of data the user is allowed to access .
  • the access level criterion is selected from a group including administrator, supervisor, view only, and no access.
  • the system is arranged to associate tag information with the access information and to store the tag information in the access information L j3toj3 ⁇ 4ge__devi.c_e_ / _, the tag information including information usable to make a " determination as to whether a first access attempt monitored by the physical access control unit is related to a second access attempt monitored by the IT ' access control unit.
  • the identity of a user is determined based on credentials gathered from the person.
  • the credential information may include biometric
  • identification information associated with the person identification information gathered from an identification card carried by the person, a PIN number provided by the person, or any other identification information.
  • the tag information includes location information indicative of the location of the access attempt associated with the tag information.
  • the tag information includes credent information indicative of at least one credential gathe from a . person attempting to access an area or resource.
  • the tag information includes date and/or time information.
  • the tag information is in the form of metadata added to the access information.
  • the system comprises an integrated access control and identity management station in
  • the management station receiving the access information and tag information from the first and second access control units, and the integrated access control and identity management station arranged such that the access
  • tag information and tag information is accessible through the integrated access control and identity management station.
  • the integrated access control and identity management station may be arranged so as to facilitate searching by a user through access information and/or tag information.
  • the integrated access control and identity management station may be accessed locally, or remotely, and may be accessed through a communications network such as the Internet.
  • the stored access criteria are arranged such that an identity criterion indicative of. the identity of the user able to access the IT resource, a location criterion indicative of the location from which the user is allowed to access the IT resource a time__j?rij_eri n_ indicative of the time at which the user is allowed to 5 access the IT resource, a type criterion indicative of the type of IT resource that the user is allowed to access, and/or an access level criterion indicative of the level of access authority given to the user are definable in the stored access criteria.
  • Figure 1 which is a diagrammatic representation of an access control system in accordance with an embodiment of the present invention.
  • Figure 2 is a diagrammatic representation of components of the access control system shown in Figure 1 ;
  • Figure 3 shows an access matrix of the access control system shown in Figures 1 and 2.
  • an embodiment of an access control system 10 that' is arranged to control physical access to an area and IT access to a resource is shown.
  • the access control system 10 also facilitates
  • access event information associated with a user in an access information storage device and facilitating access to the historical access event information by an operator of the system.
  • An access event includes positive identification of a person and consequent granting of access by the person, either physically to at least part of an area or
  • the system 10 includes a physical access control
  • the physical and IT access control arrangements 12, 14 are disposed at the ' same location or in close proximity to each other.
  • the physical access control arrangement 12 is arranged to control physical access to an area, and to determine whether an undesirable access event has occurred, such as a failed physical access attempt based on gathered user credentials or an attempt to forcibly gain physical
  • information indicative of access attempts is sent to the integrated access control and identity management station 16 by the physical access control arrangement 12 and the IT access control arrangement 14, and relevant tag information is added to the access information by each of the access control arrangements 12, 14.
  • the tag information includes information usable to associate access events with each other, for example information indicative of location, information indicative of the gathered user credential data, date and/or time information,; and so on.
  • the physical access arrangement 12 includes a physical access control unit 20 arranged to control physical access control - attempts , and in ' particular to gather credentials from users seeking to gain physical access to an area, compare the gathered credentials with reference credentials, and grant or deny access based on the comparison.
  • the physical access control unit 20 is connected to at least one camera 22 arranged to gather video information from the surrounding area, at least one access point 24, such as a door, and at least one
  • Each access point 24 has an associated door lock 25 that in this example is controlled by a respective physical access control unit 20 such that the door lock 25 may be caused to enable or prevent opening of the access point 24 in response to an appropriate signal from the physical access control unit 20.
  • the credential reader 26 gathers at least one user credential from a person desiring to pass through the access point 24, and the physical access control unit 20 compares the gathered user credentials with stored reference user credentials and makes a decision as to whether to grant or deny access. If access is granted, the physical access control unit 20 sends a signal, to the door lock 25 to. dispose the door lock 25 in an -unlocked state and thereby allow the person to pass through the access point 24 and access the ' area. If access is not granted, the physical access control unit 20 does not send a signal to the door lock 25 and the door lock 25 therefore remains in a locked state, thereby preventing the person from passing through the access point 24 and into the area.
  • access may also be based on the time and/or date that the access attempt occurred. For example, users may be allocated different dates and/or times when access is permitted, and the physical access control unit 20 arranged to allow access only at the allocated
  • the credential reader 26 is in the form of. a . biometric reader arranged to gather biometric data from a person, such as fingerprint data, although it will be understood that other types of credential reader are envisaged, such as a card reader arranged to read a personal identification card carried by a person, a keypad for enabling a person to enter a PIN number, or any other device arranged to determine the identity of a person.
  • the access point 24 is a door, it will be appreciated that other types of access point are envisaged, such as an elevator door, turnstile, parking gate, or any other physical barrier.
  • the access point 24 has associated sensors 27, in this example for detecting whether the access point 24 is open or closed. Any suitable sensor for this purpose is envisaged, and in this example magnetic-type proximity sensors axe used.
  • the sensors 27 are connected to the physical access control unit 20, and the physical access control unit 20 monitors the sensors 27 and generates a warning signal when the access point 24 is open.
  • the warning may be used to trigger an alarm, for example in the event that a
  • unauthorised access event or an actual unauthorised access event may also be determined using the camera 22, for example by automatically analysing video and/or images captured by the camera 22 at the physical access control unit 20.
  • the physical access control unit 20 also includes a tagging application 28 arranged to add the tag information 29 to the access information sent to the integrated access control and identity management station 16.
  • the tag information 29 includes information indicative of the location of the physical access control arrangement .12 , the date and time that the access attempt occurred, biometric information gathered from the person desiring to pass through the access point 24, and any/or other relevant information.
  • the tagging application 28 may source the tag information from the credential reader, from location and/or
  • the physical access control arrangement 12 includes a location application 31 arranged to determine the location of the physical access control unit 20, for example using a determined IP address related to the current " ocaticn of the access control. nit 20.
  • the access information indicative of the physical access attempt and associated tag information received at the integrated access control and identity management station 16 is stored in a data storage device in communication with the integrated access control and identity management station 16, in this example in the form of a database 40.
  • the database 40 includes a plurality of records 42, each of .which relates to an access attempt.
  • the tag information is used to enable an operator to link a physical access attempt with an IT access attempt.
  • the physical access control unit 20 may be implemented by a computing device, for example as a software application implemented by the computing device.
  • the IT access control arrangement 14 includes an IT access control unit 30 arranged to control access attempts to an IT resource, gather credentials from users seeking to gain access. to the IT resource, compare the gathered
  • the IT access control arrangement 14 is capable of receiving access attempts " directly from one or more locally disposed computing devices 32, for example connected to the IT access control unit 30 through a LAN , , or from one or more remotely located computing devices 33 that for example connect to the IT access control unit 30 through the Internet. Any of the computing devices 32, 33 may be connected to a credential reader 34 that enables at least one user .
  • the credential reader may include a biometric reader arranged to gather biometric data from a person, such as fingerprint data. It will be understood, however, that other types of authentication device arranged to determine the identity of a person are envisaged, such as a card reader arranged to read a personal identification card carried by a person, a keypad for enabling a person to enter a PIN number, or a conventional username/password arrangement.
  • a card reader arranged to read a personal identification card carried by a person, a keypad for enabling a person to enter a PIN number, or a conventional username/password arrangement.
  • the decision whether to grant or deny access and the extent to which access is granted is determined by comparing defined IT access criteria with current access criteria that may include any one or more of the gathered user credentials .
  • The, IT access control arrangement 14 is therefore able to grant, deny or limit access to an IT resource based on who the user is,- where the user is, when the user attempts to gain access and what the user is attempting to access, and in this way the IT access control arrangement 14 is capable of providing a high degree of access control.
  • users may be allocated different dates and/or times, or defined access time durations, when access is perjmitted,_a_nd the IT access control unit 30 arranged to. _ allow access only at the allocated dates/times and/or only for the defined duration.
  • the level of access may be determined based on the location of the person attempting to gain access, for example whether a computing device associated with the person is connected to the IT access control unit 30 through a local LAN or whether the user' s computing device is connected to the IT access control unit 30 through the Internet.
  • location information may be derived from the physical access control arrangement 12, for example the credential reader 26 ⁇ such that by gaining positive authentication using the credential reader 26, the location, of the person at the physical access control unit is confirmed.
  • the level of access may be determined based on user identity information derived from credential information gathered from the user.
  • the level of access may be determined based on whether the user has been given the authority to access particular types of data, or to access data stored in a particular location.
  • a user holding a senior position in an organisation may be authorised to access all data associated with the organisation, and a user holding a junior position in the organisation may be authorised to. access only data that is directly relevant to the user, for example that is stored in a folder associated with the user.
  • the physical and IT access control units 20, 30 are interfaced with each other__so that _information _gather_e_d by_the physical access control unit 20, such as credential information, may be used by the IT access control unit 30, and/or information gathered by the IT access control unit 30 may be used by the physical access control unit 20.
  • the access control system 10 is arranged such that the above access criteria are customisable such that the access criteria applicable for a user are modifiable and thereby the degree of security applied to the user is modifiable.
  • the IT access control unit 30 in this example is also arranged to add tag information 37 to the access
  • the tag information 37 includes information indicative of the location of the IT surveillance
  • the IT access control unit 30 also includes a tagging application 36 arranged to add the tag information 37 to the access information sent to the integrated access control and identity management station 16.
  • the tagging application may source the tag
  • credential reader 26, 34 from location and/or identification information stored at the IT access control unit 30, from location information derived from an ⁇ e.Lac ⁇ -ronlc_ident.Ifler_,__srLch_ s_an_LP_ ⁇ addrLess ⁇ _a.ss_ocla.tej_ with the IT access control unit 30, or from any other source capable of providing tag information usable to link the IT access attempt with another access attempt record 42.
  • the IT access control unit 30 may include a location application 38 arranged to determine the location of a computing device 32, 33 desiring to gain access, for example using, an IP address related to the current location of the computing device 32, 33. Based on the determined location, access may be granted when the computing device 32 is in a specified area, but denied when the computing device is not in the specified area. Similarly, access may be granted or denied based on whether the location of the computing device 32, 33 is verified or not, for example based on whether the
  • computing device 33 is connecting to the IT access control unit 30 through the Internet and whether the location of the computing device can be ascertained and the location -.authorised as safe. It will be understood that the IT access control unit 30 may be. implemented using a computing device,, for example at least in part as a..software application.
  • the access information indicative of the IT access attempt and associated tag information received at .the integrated access control and identity management station 16 is stored in a record 42 in the database 40.
  • the physical and IT access control arrangements 12, 14 include suitable functional components _to enable determinations to be made as to whether ana to _ what extent to grant or deny access by a person based on the relevant criteria defined for a user,
  • the functional components may include a processor and memory arranged to implement one or more software applications.
  • access criteria are stored at the physical and IT access control arrangements 12, 14 and the credentials used to determine whether to grant or deny access. It will however be understood that other implementations are envisaged.
  • the access criteria may be stored and determinations as to whether to grant or deny access may be made remotely from the physical and IT access control arrangements, such as at the integrated access control and identity management station 16.
  • the tag information may take any suitable form, and in this example the tag information is added to the access information as metadata.
  • the IT access control unit 30 in this. example controls access to one or more software applications 50 and/or data stored on one or more storage devices 54 by one or more user computing devices 32 disposed locally and connected to the IT access control unit 30 through a wired or wireless LAN, or one ore more user computing devices 33 disposed remotely and connected to the IT access control unit 30 through the Internet 52.
  • the IT access control unit 30 is arranged to use access criteria stored in an access matrix.56 to determine whether to grant or deny access and the extent
  • matrix 56 is shown in Figure 3 and includes user
  • location criteria 60 that defines the locations that are allowed for each user to access the system 10
  • time criteria 62 that defines the allowed times, dates, and/or durations of access for each user
  • trust level criteria 64 that defines the type of data that the user is allowed to access in terms of the degree of sensitivity of data that the user is allowed to access '
  • access level criterion 66 that defines the level of access authority granted to each user.
  • User A is allowed to access data ⁇ up to a high level of sensitivity, to access the data- only when the user is located at either Secure Location A or Secure. Location B, and to only access the data during office hours.
  • the user is assigned administrator access level that provides the user with a high level of access authority.
  • the user is assigned supervisor access level that provides the user with a reduced level of access authority.
  • administrator access level provides a user with full and complete access to data such that the user is able to read, write and modify data, and the user is able to execute all applications and carry out all functions with full system privileges.
  • Supervisor access level provides a user with partial authority depending on the role of the user and functions that the user is required to perform. Typically a supervisor is only able to read and write data, and sometimes is able to modify data.
  • User C is assigned different access rights (view only, supervisory or no access) depending on whether the location of the user is verified, for example by verifying the location of the computing, device associated with the user, and depending on the time of day.
  • the access matrix 56 may be arranged so that trust level criterion 64 alternatively or in addition specifically defines the type of data that the user can access in terms .of the location of the data, for example the storage devices and/or data folders that the user is able to access.
  • all access attempts are stored in the database 40 associated with the integrated access control and identity management station 16, and in this way a single accessible source is provided for information relating to all access attempts. It will be understood that in this example for each access attempt, information indicative of the user attempting to access an area or resource, of the date and time that the access attempt occurred, the duration of access granted, the location of the user, and the area(s) and/or
  • resource (s) accessed by the user are recorded in the database 40 and can therefore be used to monitor, trace and/or audit user access activities. For example, if a person attempts to access an IT resource from a particular unverified location, such as a cyber cafe, multiple times, the system 10 may be arranged to generate an alert to an operator.
  • system may be arranged to modify any one or more of the access criteria defined in the access matrix 56 in response to a potential access risk situation determined from the access information stored in the database 40. For example in the above example wherein multiple access attempts occur from an unverified
  • the system 10 may be arranged to modify the trust level 64 specified for the user in the access matrix 56 to a lower level, such as No Access.
  • the system may include a terminal 44, for example in the form of a personal computer, tablet computer or smartphone.
  • the integrated access control and identity management station 16 is arranged to allow a user terminal. 44 to search records 42 relating to both physical and IT related access attempts based on potentially common variables so that related physical and IT access attempts can be identified when a physical access attempt is also accompanied by an IT access attempt.
  • the integrated access control and identity management station 16 is accessible on-line, for example through the Inte-net. ⁇ It will be appreciated that the tag information also allows an operator to trace back to a ⁇ person associated with a physical or IT access event.
  • system enables administrators to control access to an IT resource based on who the user is, where the user is, when the user attempts to gain access and what the user is attempting to access.
  • the access control system provides a high degree of access control, and minimizes the possibility of an impersonation attack (for example through a compromised machine or spoofing) . .
  • the present access control system provides the ability to control access based on the location of the user, for example using location from a physical access control system.
  • the present integrated access control system can be viewed as a system that removes- data ubiquity or enables data ubiquity to an organization.
  • the system is able to remove . ubiquity to classified data which requires stricter access control, and at the same time is able to enable ubiquity to unclassified data.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Time Recorders, Dirve Recorders, Access Control (AREA)

Abstract

An integrated access control and identity management system comprises an IT access control unit and a physical access control unit. The IT access control unit comprises stored access criteria defining access rights for each user associated with the system. The IT access control unit is arranged to determine whether and the extent to which access should be granted to a user based on the stored access criteria. The physical access control unit is arranged to monitor attempts to physically access an area by a person. The integrated system is arranged to store in the access information storage device access information indicative of access attempts monitored by the IT and physical access control units. The stored access criteria are arranged such that a user identity criterion, an access location criterion, an access time criterion, a type criterion indicative of the type of IT resource that the user is allowed to access, and/or an access level criterion are definable in the stored access criteria.

Description

AN INTEGRATED ACCESS CONTROL AND IDENTITY MANAGEMENT SYSTEM
Field of the Invention
The present invention relates to an integrated access control system for controlling access to at least an IT resource by a person, and to a method of controlling access to at least an IT resource by a person.
Background of the Invention
It is known to provide a system for monitoring and
controlling physical access to an area so that access is restricted to authorised persons only. In one such system, access by persons through any one of a plurality of doors is controlled by providing each door with a credential reader for gathering one or more credentials from a person, such as a pin number, biometric information or an ID number stored on a card, and verifying the .
gathered credentials with reference credentials stored in a back end system. It is also known to provide a system for monitoring and controlling access to an IT resource, for example
including software applications and data, so that only authorised personnel are able to use the software and/or access the data. Such IT access control may be
implemented by each user operable computing device
associated with the IT resource, or may be implemented at least in part using a separate gateway device that
operates to control access and to grant or deny. access based .on the user's credentials.
However, such conventional IT_acc^s^_c^n^trjDl systems_are__ relatively unsophisticated and as a result. do not provide effective access control.
Summary of the Invention
In accordance with a first aspect of the present
invention, there is provided an access control system comprising:
an IT access control unit arranged to monitor attempts to access an IT resource by a person; and
stored access criteria defining access rights for each user associated with the system;
the IT access control unit arranged to determine whether and the extent to which access should be granted to a user based on the stored access criteria;
wherein the stored access criteria are arranged such that an identity criterion indicative of the identity of the user able to access the IT resource, a location criterion indicative of the location from which the user is allowed to access the IT resource, a time criterion indicative of the time at which the user is allowed to access the IT resource, a type criterion indicative of the type of IT resource that the user is allowed to access, and/or an access level criterion indicative of the level of access authority given to the user are definable in the stored access criteria. .
In one embodiment, the system comprises a physical access control unit arranged to monitor attempts to physically access an area by a person. In one embodiment, the system comprises an access
information storage device, the system being arranged to store in the access_info^m^ti^n^J:^Jage^eyice_ __acces_s^ information indicative of access attempts monitored by the IT and physical access control units.
In one embodiment,, the identity criterion, the location criterion, the time criterion,- the type criterion, and the access level criterion are all defined in the stored access criteria for at least one user associated with the system.
In one embodiment, the IT resource comprises at least one software application and/or data stored in at least one data storage device.
In one embodiment, the time criterion is indicative of the duration of time during which a user is allowed to access the IT resource.
In one embodiment, the. type criterion is indicative of one or more storage locations that the user is allowed to access, and/or one or more software applications that the user is allowed to access, and/or one or more data types that the user is allowed to access .
In one embodiment, the type criterion is a trust level criterion indicative of the maximum level of sensitivity of data the user is allowed to access .
In one embodiment, the access level criterion is selected from a group including administrator, supervisor, view only, and no access. In one embodiment, the system is arranged to associate tag information with the access information and to store the tag information in the access informationLj3toj¾ge__devi.c_e_/_, the tag information including information usable to make a " determination as to whether a first access attempt monitored by the physical access control unit is related to a second access attempt monitored by the IT' access control unit. In one embodiment, the identity of a user is determined based on credentials gathered from the person.
The credential information may include biometric
information associated with the person, identification information gathered from an identification card carried by the person, a PIN number provided by the person, or any other identification information..
In one embodiment, the tag information includes location information indicative of the location of the access attempt associated with the tag information.
In one embodiment, the tag information includes credent information indicative of at least one credential gathe from a . person attempting to access an area or resource.
In one embodiment, the tag information includes date and/or time information.
In one embodiment, the tag information is in the form of metadata added to the access information. • In one embodiment, the system comprises an integrated access control and identity management station in
communication with the first and second access control.. units, the integrated access control and identity
management station receiving the access information and tag information from the first and second access control units, and the integrated access control and identity management station arranged such that the access
information and tag information is accessible through the integrated access control and identity management station.
The integrated access control and identity management station may be arranged so as to facilitate searching by a user through access information and/or tag information.
The integrated access control and identity management station may be accessed locally, or remotely, and may be accessed through a communications network such as the Internet.
In accordance with a second aspect of the present
invention, there is provided a method of controlling access to an IT resource by a person, the method
comprising:
monitoring attempts, to access an IT- resource by a person; and
storing access criteria defining access rights for each' , user associated with the system;
determining whether and the extent to which access should be granted to a user based on the stored access criteria; .
wherein the stored access criteria are arranged such that an identity criterion indicative of. the identity of the user able to access the IT resource, a location criterion indicative of the location from which the user is allowed to access the IT resource a time__j?rij_eri n_ indicative of the time at which the user is allowed to 5 access the IT resource, a type criterion indicative of the type of IT resource that the user is allowed to access, and/or an access level criterion indicative of the level of access authority given to the user are definable in the stored access criteria.
10 Brief Description of the Drawings
The present invention will now be described, by way of example only, with reference to the accompanying drawings, in which:.
15 Figure 1 which is a diagrammatic representation of an access control system in accordance with an embodiment of the present invention;
Figure 2 is a diagrammatic representation of components of the access control system shown in Figure 1 ;
20 and
Figure 3 shows an access matrix of the access control system shown in Figures 1 and 2.
Description of an Embodiment of the Invention
'25. ,
Referring to Figure 1, an embodiment of an access control system 10 that' is arranged to control physical access to an area and IT access to a resource is shown. In this example, the access control system 10 also facilitates
30 monitoring of access attempts by recording historical
access event information associated with a user in an access information storage device and facilitating access to the historical access event information by an operator of the system..
Figure imgf000009_0001
An access event includes positive identification of a person and consequent granting of access by the person, either physically to at least part of an area or
electronically to at least part of an application or data of an IT resource; negative identification wherein a player attempts to gain access but the identity of the person is not verified and consequently access by the person is denied; and otherwise unauthorised physical or electronic access to an area or IT resource, such as forced entry through a controlled access door or physical disconnection of a computing device from the IT resource.
The system 10 includes a physical access control
arrangement 12 and an IT access control arrangement 14, each -of which in this example communicates with an access information storage device in the form of an integrated access control and identity management, station 16 that may be located remotely relative to the physical and IT access control arrangements 12, 14, for example in communication with the physical and IT access control arrangements 12, 14 through the Internet. In this example, the physical and IT access control arrangements 12, 14 are disposed at the 'same location or in close proximity to each other.
The physical access control arrangement 12 is arranged to control physical access to an area, and to determine whether an undesirable access event has occurred, such as a failed physical access attempt based on gathered user credentials or an attempt to forcibly gain physical
Figure imgf000010_0001
a software application and/or data, and to determine whether an undesirable access event has occurred, such as a failed IT access attempt based on gathered user
credentials, an access attempt outside of a defined access period or that exceeds a defined access duration, an attempt to access data for which the user is not
authorised, an access attempt from a location that is not authorised, or an attempt to forcibly gain access to software or data. 1 In this example, information indicative of access attempts is sent to the integrated access control and identity management station 16 by the physical access control arrangement 12 and the IT access control arrangement 14, and relevant tag information is added to the access information by each of the access control arrangements 12, 14. The tag information includes information usable to associate access events with each other, for example information indicative of location, information indicative of the gathered user credential data, date and/or time information,; and so on.
Since access control events that are likely to be related to each other can be linked with each other by virtue of the tag information, it is possible for an operator to easily identify potentially related physical and IT access control events by searching for particular tag
information . In the example shown in Figure 1, the physical access arrangement 12 includes a physical access control unit 20 arranged to control physical access control - attempts , and in' particular to gather credentials from users seeking to gain physical access to an area, compare the gathered credentials with reference credentials, and grant or deny access based on the comparison.
In this example, the physical access control unit 20 is connected to at least one camera 22 arranged to gather video information from the surrounding area, at least one access point 24, such as a door, and at least one
credential reader 26.
Each access point 24 has an associated door lock 25 that in this example is controlled by a respective physical access control unit 20 such that the door lock 25 may be caused to enable or prevent opening of the access point 24 in response to an appropriate signal from the physical access control unit 20.
During use, the credential reader 26 gathers at least one user credential from a person desiring to pass through the access point 24, and the physical access control unit 20 compares the gathered user credentials with stored reference user credentials and makes a decision as to whether to grant or deny access. If access is granted, the physical access control unit 20 sends a signal, to the door lock 25 to. dispose the door lock 25 in an -unlocked state and thereby allow the person to pass through the access point 24 and access the' area. If access is not granted, the physical access control unit 20 does not send a signal to the door lock 25 and the door lock 25 therefore remains in a locked state, thereby preventing the person from passing through the access point 24 and into the area. The decision whether^_tp_jgranJ:_or_dehY--
Figure imgf000012_0001
access may also be based on the time and/or date that the access attempt occurred. For example, users may be allocated different dates and/or times when access is permitted, and the physical access control unit 20 arranged to allow access only at the allocated
dates/times'.
In this example, the credential reader 26 is in the form of. a. biometric reader arranged to gather biometric data from a person, such as fingerprint data, although it will be understood that other types of credential reader are envisaged, such as a card reader arranged to read a personal identification card carried by a person, a keypad for enabling a person to enter a PIN number, or any other device arranged to determine the identity of a person. While in this example the access point 24 is a door, it will be appreciated that other types of access point are envisaged, such as an elevator door, turnstile, parking gate, or any other physical barrier. In this example, the access point 24 has associated sensors 27, in this example for detecting whether the access point 24 is open or closed. Any suitable sensor for this purpose is envisaged, and in this example magnetic-type proximity sensors axe used.
The sensors 27 are connected to the physical access control unit 20, and the physical access control unit 20 monitors the sensors 27 and generates a warning signal when the access point 24 is open. The warning may be used to trigger an alarm, for example in the event that a
Figure imgf000013_0001
sensor ^ jm cates t at jL e_p~i s ^aJLacc_ess po nt;.2 s open but that no valid credential verification has occurred.
An access attempt, and in particular an attempted
unauthorised access event or an actual unauthorised access event, may also be determined using the camera 22, for example by automatically analysing video and/or images captured by the camera 22 at the physical access control unit 20.
In this example, the physical access control unit 20 also includes a tagging application 28 arranged to add the tag information 29 to the access information sent to the integrated access control and identity management station 16. In this example, the tag information 29 includes information indicative of the location of the physical access control arrangement .12 , the date and time that the access attempt occurred, biometric information gathered from the person desiring to pass through the access point 24, and any/or other relevant information.
The tagging application 28 may source the tag information from the credential reader, from location and/or
identification information stored at the access control unit 20, from location information derived from respective electronic identifiers, such as IP addresses, associated with the access control unit 20, or from any other source capable of providing tag information, usable to link a physical access attempt with another access attempt. In this example, the physical access control arrangement 12 includes a location application 31 arranged to determine the location of the physical access control unit 20, for example using a determined IP address related to the current "ocaticn of the access control. nit 20.
The access information , indicative of the physical access attempt and associated tag information received at the integrated access control and identity management station 16 is stored in a data storage device in communication with the integrated access control and identity management station 16, in this example in the form of a database 40. The database 40 includes a plurality of records 42, each of .which relates to an access attempt.
The tag information is used to enable an operator to link a physical access attempt with an IT access attempt.
It will be understood that the physical access control unit 20 may be implemented by a computing device, for example as a software application implemented by the computing device.
The IT access control arrangement 14 includes an IT access control unit 30 arranged to control access attempts to an IT resource, gather credentials from users seeking to gain access. to the IT resource, compare the gathered
credentials with reference credentials, grant or deny . access based on the comparison and,, if access is granted, determine the extent to which access should be granted. The IT access control arrangement 14 is capable of receiving access attempts" directly from one or more locally disposed computing devices 32, for example connected to the IT access control unit 30 through a LAN,, or from one or more remotely located computing devices 33 that for example connect to the IT access control unit 30 through the Internet. Any of the computing devices 32, 33 may be connected to a credential reader 34 that enables at least one user .
credential to be gathered from a person desiring to gain access to the IT resource. The credential reader may include a biometric reader arranged to gather biometric data from a person, such as fingerprint data. It will be understood, however, that other types of authentication device arranged to determine the identity of a person are envisaged, such as a card reader arranged to read a personal identification card carried by a person, a keypad for enabling a person to enter a PIN number, or a conventional username/password arrangement. The decision whether to grant or deny access and the extent to which access is granted is determined by comparing defined IT access criteria with current access criteria that may include any one or more of the gathered user credentials., the time and/or date that the access attempt occurred, the duration of access, the location of the person attempting to gain access, and/or the type of data that the user desires to access. The, IT access control arrangement 14 is therefore able to grant, deny or limit access to an IT resource based on who the user is,- where the user is, when the user attempts to gain access and what the user is attempting to access, and in this way the IT access control arrangement 14 is capable of providing a high degree of access control. For example, users may be allocated different dates and/or times, or defined access time durations, when access is perjmitted,_a_nd the IT access control unit 30 arranged to. _ allow access only at the allocated dates/times and/or only for the defined duration.
The level of access may be determined based on the location of the person attempting to gain access, for example whether a computing device associated with the person is connected to the IT access control unit 30 through a local LAN or whether the user' s computing device is connected to the IT access control unit 30 through the Internet. In one embodiment, location information may be derived from the physical access control arrangement 12, for example the credential reader 26^ such that by gaining positive authentication using the credential reader 26, the location, of the person at the physical access control unit is confirmed. The level of access may be determined based on user identity information derived from credential information gathered from the user. The level of access may be determined based on whether the user has been given the authority to access particular types of data, or to access data stored in a particular location. For example, a user holding a senior position in an organisation may be authorised to access all data associated with the organisation,, and a user holding a junior position in the organisation may be authorised to. access only data that is directly relevant to the user, for example that is stored in a folder associated with the user. It will be appreciated that in the present embodiment, the physical and IT access control units 20, 30 are interfaced with each other__so that _information _gather_e_d by_the physical access control unit 20, such as credential information, may be used by the IT access control unit 30, and/or information gathered by the IT access control unit 30 may be used by the physical access control unit 20.
It will be appreciated that the access control system 10 is arranged such that the above access criteria are customisable such that the access criteria applicable for a user are modifiable and thereby the degree of security applied to the user is modifiable. The IT access control unit 30 in this example is also arranged to add tag information 37 to the access
information indicative of an access attempt that is sent to the integrated access control and. identity management station 16 by the IT surveillance arrangement 14. In this example, the tag information 37 includes information indicative of the location of the IT surveillance
arrangement 14, the date and-,time that the access attempt occurred, identity information, such as biometric
information, gathered from the person desiring to gain access to. the IT system, and/or any other relevant
information.
In this example, the IT access control unit 30 also includes a tagging application 36 arranged to add the tag information 37 to the access information sent to the integrated access control and identity management station 16. The tagging application may source the tag
information from credential reader 26, 34, from location and/or identification information stored at the IT access control unit 30, from location information derived from an ^e.Lac±-ronlc_ident.Ifler_,__srLch_ s_an_LP_^addrLess^_a.ss_ocla.tej_ with the IT access control unit 30, or from any other source capable of providing tag information usable to link the IT access attempt with another access attempt record 42.
In this example, the IT access control unit 30 may include a location application 38 arranged to determine the location of a computing device 32, 33 desiring to gain access, for example using, an IP address related to the current location of the computing device 32, 33. Based on the determined location, access may be granted when the computing device 32 is in a specified area, but denied when the computing device is not in the specified area. Similarly, access may be granted or denied based on whether the location of the computing device 32, 33 is verified or not, for example based on whether the
computing device 33 is connecting to the IT access control unit 30 through the Internet and whether the location of the computing device can be ascertained and the location -.authorised as safe. It will be understood that the IT access control unit 30 may be. implemented using a computing device,, for example at least in part as a..software application. In this example, the access information indicative of the IT access attempt and associated tag information received at .the integrated access control and identity management station 16 is stored in a record 42 in the database 40. In this example, the physical and IT access control arrangements 12, 14 include suitable functional components _to enable determinations to be made as to whether ana to _ what extent to grant or deny access by a person based on the relevant criteria defined for a user, For this purpose, the functional components may include a processor and memory arranged to implement one or more software applications. In this example, access criteria are stored at the physical and IT access control arrangements 12, 14 and the credentials used to determine whether to grant or deny access. It will however be understood that other implementations are envisaged. For example, the access criteria may be stored and determinations as to whether to grant or deny access may be made remotely from the physical and IT access control arrangements, such as at the integrated access control and identity management station 16.
The tag information may take any suitable form, and in this example the tag information is added to the access information as metadata.
Referring to Figure 2, components of the IT access control arrangement 14 are shown. The IT access control unit 30 in this. example controls access to one or more software applications 50 and/or data stored on one or more storage devices 54 by one or more user computing devices 32 disposed locally and connected to the IT access control unit 30 through a wired or wireless LAN, or one ore more user computing devices 33 disposed remotely and connected to the IT access control unit 30 through the Internet 52.
In this example, the IT access control unit 30 is arranged to use access criteria stored in an access matrix.56 to determine whether to grant or deny access and the extent
Figure imgf000020_0001
matrix 56 is shown in Figure 3 and includes user
information 58 indicative of the users associated with the system 10, location criteria 60 that defines the locations that are allowed for each user to access the system 10, time criteria 62 that defines the allowed times, dates, and/or durations of access for each user, trust level criteria 64 that defines the type of data that the user is allowed to access in terms of the degree of sensitivity of data that the user is allowed to access', and an access level criterion 66 that defines the level of access authority granted to each user.
In the present example, User A is allowed to access data up to a high level of sensitivity, to access the data- only when the user is located at either Secure Location A or Secure. Location B, and to only access the data during office hours. In addition, when User A is located at Secure Location A, the user is assigned administrator access level that provides the user with a high level of access authority. In contrast, when User A is located at Secure Location B, the user is assigned supervisor access level that provides the user with a reduced level of access authority.
In the present embodiment, administrator access level provides a user with full and complete access to data such that the user is able to read, write and modify data, and the user is able to execute all applications and carry out all functions with full system privileges. Supervisor access level provides a user with partial authority depending on the role of the user and functions that the user is required to perform. Typically a supervisor is only able to read and write data, and sometimes is able to modify data.
It will be understood that since User A is allowed to access an IT resource only when the user is located at Secure Location A or Secure Location B, if an attempt to access the IT resource occurs but the location of the user is not verified, for example by confirming user
credentials using a credentials reader at Secure Location A or Secure Location B, then access to the data will be denied. Also in the present example, User C is assigned different access rights (view only, supervisory or no access) depending on whether the location of the user is verified, for example by verifying the location of the computing, device associated with the user, and depending on the time of day.
It will be understood that the access matrix 56 may be arranged so that trust level criterion 64 alternatively or in addition specifically defines the type of data that the user can access in terms .of the location of the data, for example the storage devices and/or data folders that the user is able to access.
In this example, all access attempts, both physical and IT related, are stored in the database 40 associated with the integrated access control and identity management station 16, and in this way a single accessible source is provided for information relating to all access attempts. It will be understood that in this example for each access attempt, information indicative of the user attempting to access an area or resource, of the date and time that the access attempt occurred, the duration of access granted, the location of the user, and the area(s) and/or
resource (s) accessed by the user are recorded in the database 40 and can therefore be used to monitor, trace and/or audit user access activities. For example, if a person attempts to access an IT resource from a particular unverified location, such as a cyber cafe, multiple times, the system 10 may be arranged to generate an alert to an operator.
In addition, the system may be arranged to modify any one or more of the access criteria defined in the access matrix 56 in response to a potential access risk situation determined from the access information stored in the database 40. For example in the above example wherein multiple access attempts occur from an unverified
location, the system 10 may be arranged to modify the trust level 64 specified for the user in the access matrix 56 to a lower level, such as No Access.
In order to facilitate searching through the records 42 in the database 40, the system may include a terminal 44, for example in the form of a personal computer, tablet computer or smartphone. For this purpose, the integrated access control and identity management station 16 is arranged to allow a user terminal. 44 to search records 42 relating to both physical and IT related access attempts based on potentially common variables so that related physical and IT access attempts can be identified when a physical access attempt is also accompanied by an IT access attempt. In this example, the integrated access control and identity management station 16 is accessible on-line, for example through the Inte-net. · It will be appreciated that the tag information also allows an operator to trace back to a^ person associated with a physical or IT access event.
It will be appreciated that system enables administrators to control access to an IT resource based on who the user is, where the user is, when the user attempts to gain access and what the user is attempting to access. The access control system provides a high degree of access control, and minimizes the possibility of an impersonation attack (for example through a compromised machine or spoofing) . .
It will also be appreciated that unlike conventional electronic access control systems, the present access control system provides the ability to control access based on the location of the user, for example using location from a physical access control system.
The present integrated access control system can be viewed as a system that removes- data ubiquity or enables data ubiquity to an organization. The system is able to remove . ubiquity to classified data which requires stricter access control, and at the same time is able to enable ubiquity to unclassified data.
Modification and variations as. would be apparent to a skilled addressee are deemed to be within the scope of the present invention.

Claims

Claims:
1. _An access_ ntrol _system^_cqmp^isj.jig
. an IT access control unit arranged to monitor attempts to access an IT resource by a person; and
' stored access criteria defining access rights for each user associated with the system;
the IT access control unit arranged to determine whether and the extent to which access should be granted to a user based on the stored access criteria;
wherein the stored access criteria are arranged such that an identity criterion indicative of the identity of the user able to access the IT resource, a location criterion indicative of the location from which the user is allowed to access the IT resource, a time criterion indicative of the time at which the user is allowed to access the IT resource, a type criterion indicative of the type of IT resource that the user is allowed to access, and/or an access level criterion indicative of the level of access authority given to the user are definable in the stored access criteria.
2. An access control system as claimed in claim 1, wherein the identity criterion, the location criterion, the time criterion, the type criterion, and the access level criterion are all defined in the stored access criteria for at least one user associated with the system.
3. An access control system- as .claimed in claim 1 or claim 2, wherein the IT resource comprises at least one software application and/or data stored in at least one data storage device..
4. An access control system as claimed in any one of claims 1 to 3, wherein the time criterion is indicative of the duration of tirr.e during which a- user allowed ~o access the IT resource.
5. An access control system as claimed in any one of the preceding claims, wherein the type criterion is indicative of one or more storage locations that the user is allowed
' to access, and/or one or more software applications that the user is allowed to access, and/or one or more data types that the user is allowed to access.
6. An access control system as claimed in any one of the preceding claims, wherein the type criterion is a trust level criterion indicative of the maximum level of sensitivity of data the user is allowed to access.
7. An access control system as claimed in any one of the preceding claims, wherein the access level criterion is selected from a group including administrator, supervisor, view only, and no access.
8. An access control system as claimed in any one of the preceding claims, comprising a physical access control unit arranged to monitor attempts .to access. an area by a person.
9. An access control system as claimed in any one of the preceding claims, wherein the identity of a user is determined based on credentials ^gathered from the person.
10. An access control system as claimed in claim- 9, wherein the credential information includes biometric information associated with the person, identification information gathered from an identification card carried by the person, a PIN number provided by the person, or any other identification information.
'
11. An access control system as claimed in claim 8, comprising an access information storage device, the system being arranged to store in the access information storage device access information indicative of access attempts monitored by the IT and physical access control units.
12. An access control system as claimed in. any one of the preceding claims, wherein the system is arranged to associate tag information with the access information and to store the tag information in the access information storage device, the tag information including information usable to make a determination as to ..whether a first access attempt monitored by the physical access control unit is related to a second access attempt monitored by the IT access control unit.
13. An access control system as claimed in claim 12, wherein, the tag information includes location information , indicative of the location of the access attempt
associated with the tag information.
14. An access control system as claimed in claim 12 Or claim 13, wherein the tag information includes credential information indicative of at least one credential gathered from a person attempting to access an area or resource.
15. An access control system as claimed in any one of claims 12 to 14, wherein the tag information includes date and/or time information.
16. An access control system as claimed in any one of claims 12 to 15, wherein the tag information is in the form of metadata added to the access information.
17. An access control system as claimed -in any one of claims 12 to 16, wherein the system comprises an
integrated access control and identity management station in communication with the first and second access control units, the integrated access control and identity
management station receiving the access information and tag information from the first and second access control units, and the integrated access control and identity management station arranged such that the access
information and tag information is accessible through the integrated access control and identity management station.
18. An access control system as claimed in claim 17, wherein the integrated access control and identity
management station is -arranged so as to facilitate
searching by a user through access information and/or tag information..
19. An access control system as claimed in claim 18, wherein the integrated access control and identity
management station is accessible locally or remotely, and may be accessed through a communications network such as the Internet.
20. A method of controlling access to" an IT resource by a person, the method comprising:
monitojring__attempt-s jto_ access_ an TT resource by a person; and
storing access criteria defining access rights for each user associated with the system;
determining whether and the extent to which access should be granted to a user based on the stored access criteria;
wherein the stored access criteria are arranged such that an identity criterion indicative of the identity of the user able to access the IT resource, a location criterion indicative of the location from which the user is allowed to access the IT resource, a time criterion indicative of the time at which the user is allowed to access the IT resource, a type criterion indicative of the type of IT resource that the user is allowed to access, and/or an access level criterion indicative of the level of access authority given to the user are definable in the stored access criteria.
21. A method as claimed in claim 20,. comprising defining all of the identity: criterion, the location criterion, the time criterion, the type criterion, and the access level criterion in the stored access criteria' for at least one user associated with the system.
22. A method as claimed in claim 20 or claim 21, wherein the IT resource comprises at least one software
application and/or data stored in at least one data storage device.
23. A method as claimed in any one of claims 20 to 22, wherein the time criterion is indicative of the duration of time during which a user allowed to access the IT.
resource.
24. A method as claimed in any one of claims 20 to 23, wherein the type criterion is indicative of one or more storage- locations that the user is allowed to access, and/or one or more software applications that the user is allowed to access, and/or one or more data types that the user is allowed to access.
25. A method as claimed in any one of claims 20 to 24, wherein the type .criterion is a trust level criterion indicative of the maximum level of sensitivity of data the user is allowed to access.
26. A method as claimed in any one of claims 20 to 25, comprising selecting the access level criterion from a group including administrator, supervisor, view only, and no access.
27. A method system as claimed in any one of claims 20 to 26, comprising monitoring physical attempts to access an area by a person".
28. A method as claimed in any one of claims 20 to 27, comprising determining the identity of a user based on credentials gathered from the person..
29. . A method as claimed in claim 28, wherein "the
credential information includes biometric information associated with the person, identification information gathered from an identification card carried by the person, a PIN number provided by the person, or any other identification information.
30. A method as claimed in. claim 27, comprising storing access information indicative of access attempts monitored by the IT and physical access control units.
31. A method as claimed in claim 30, comprising
associating tag information with the access information and to storing the tag information in the access
information storage device, the tag information including information usable. to make a determination as to whether a first access attempt monitored by the physical access control unit is related to a second access attempt monitored by the IT access control unit.
32. A method as claimed in claim 31, wherein the tag information includes location information indicative of the location of the access attempt associated with the tag information.
33. A method as claimed in claim 31 or claim 32, wherein the tag information includes credential information indicative of at least one credential gathered from a person attempting to access an area or resource.
34. A method as claimed in any one of claims 31 to 33, wherein the tag information includes date and/or time information.
35. A method as claimed in any one of claims 31 to 34, wherein the tag information is in the form of metadata . added to the access information.
36. A method as claimed in any one of claims 31 to 35, comprising :
providing an integrated access control and identity management station;
receiving at the integrated access control and identity management station the access information and tag information; and
facilitating access to the access information and tag information through the integrated access control and identity management station.
37. A method as claimed in claim 36, comprising
facilitating searching by a user through access
information and/or tag information.
38. A method as claimed in claim 37, comprising
facilitating access to the integrated access control and identity management station locally or remotely through a communications network. .
39. A method as claimed in any one of claims 20 to 38, comprising using the access information and/or the tag information to trace back to a person associated with an access attempt.
PCT/SG2014/000192 2013-12-26 2014-04-30 An integrated access control and identity management system WO2015099607A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
SG11201602975YA SG11201602975YA (en) 2013-12-26 2014-04-30 An integrated access control and identity management system
CN201480065011.6A CN106104548B (en) 2013-12-26 2014-04-30 Integrated access control and identity management system
AU2014370501A AU2014370501A1 (en) 2013-12-26 2014-04-30 An integrated access control and identity management system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SG201309622-7 2013-12-26
SG2013096227A SG2013096227A (en) 2013-12-26 2013-12-26 An integrated access control and identity management system

Publications (1)

Publication Number Publication Date
WO2015099607A1 true WO2015099607A1 (en) 2015-07-02

Family

ID=53479313

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SG2014/000192 WO2015099607A1 (en) 2013-12-26 2014-04-30 An integrated access control and identity management system

Country Status (4)

Country Link
CN (1) CN106104548B (en)
AU (1) AU2014370501A1 (en)
SG (3) SG2013096227A (en)
WO (1) WO2015099607A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109544892A (en) * 2018-12-04 2019-03-29 四川奥地建筑设计有限公司 A kind of wisdom agricultural things-internet gateway system
CN111970698A (en) * 2020-08-07 2020-11-20 云南微元智造科技有限公司 Industrial field weak network environment optimization method
US10891816B2 (en) 2017-03-01 2021-01-12 Carrier Corporation Spatio-temporal topology learning for detection of suspicious access behavior
US11373472B2 (en) 2017-03-01 2022-06-28 Carrier Corporation Compact encoding of static permissions for real-time access control
US11410478B2 (en) 2018-04-18 2022-08-09 Carrier Corporation Visualization and management of access levels for access control based al hierarchy
US11687810B2 (en) 2017-03-01 2023-06-27 Carrier Corporation Access control request manager based on learning profile-based access pathways
US11770372B2 (en) 2020-07-28 2023-09-26 Hewlett Packard Enterprise Development Lp Unified identity and access management (IAM) control plane for services associated with a hybrid cloud

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DK3590101T3 (en) * 2017-03-01 2022-02-21 Carrier Corp STRUCTURE FOR ACCESS PROVISION IN PHYSICAL ACCESS CONTROL SYSTEMS
CN109920119A (en) * 2019-04-17 2019-06-21 深圳市商汤科技有限公司 Gate inhibition's setting method and device
CN112804240B (en) * 2021-01-19 2023-04-18 深圳市天彦通信股份有限公司 Function control method, device, server, storage medium and product

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070094716A1 (en) * 2005-10-26 2007-04-26 Cisco Technology, Inc. Unified network and physical premises access control server
US20070186106A1 (en) * 2006-01-26 2007-08-09 Ting David M Systems and methods for multi-factor authentication
US20080271109A1 (en) * 2007-04-25 2008-10-30 Cisco Technology, Inc. Physical security triggered dynamic network authentication and authorization
US20120042366A1 (en) * 2010-08-13 2012-02-16 International Business Machines Corporation Secure and usable authentication for health care information access

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070094716A1 (en) * 2005-10-26 2007-04-26 Cisco Technology, Inc. Unified network and physical premises access control server
US20070186106A1 (en) * 2006-01-26 2007-08-09 Ting David M Systems and methods for multi-factor authentication
US20080271109A1 (en) * 2007-04-25 2008-10-30 Cisco Technology, Inc. Physical security triggered dynamic network authentication and authorization
US20120042366A1 (en) * 2010-08-13 2012-02-16 International Business Machines Corporation Secure and usable authentication for health care information access

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10891816B2 (en) 2017-03-01 2021-01-12 Carrier Corporation Spatio-temporal topology learning for detection of suspicious access behavior
US11373472B2 (en) 2017-03-01 2022-06-28 Carrier Corporation Compact encoding of static permissions for real-time access control
US11687810B2 (en) 2017-03-01 2023-06-27 Carrier Corporation Access control request manager based on learning profile-based access pathways
US11410478B2 (en) 2018-04-18 2022-08-09 Carrier Corporation Visualization and management of access levels for access control based al hierarchy
CN109544892A (en) * 2018-12-04 2019-03-29 四川奥地建筑设计有限公司 A kind of wisdom agricultural things-internet gateway system
US11770372B2 (en) 2020-07-28 2023-09-26 Hewlett Packard Enterprise Development Lp Unified identity and access management (IAM) control plane for services associated with a hybrid cloud
US12074862B2 (en) 2020-07-28 2024-08-27 Hewlett Packard Enterprise Development Lp Unified identity and access management (IAM) control plane for services associated with a hybrid cloud
CN111970698A (en) * 2020-08-07 2020-11-20 云南微元智造科技有限公司 Industrial field weak network environment optimization method
CN111970698B (en) * 2020-08-07 2023-04-07 江苏海岸线互联网科技有限公司 Industrial field weak network environment optimization method

Also Published As

Publication number Publication date
SG10201805371VA (en) 2018-08-30
CN106104548A (en) 2016-11-09
SG2013096227A (en) 2015-07-30
SG11201602975YA (en) 2016-07-28
CN106104548B (en) 2019-08-06
AU2014370501A1 (en) 2016-05-12

Similar Documents

Publication Publication Date Title
WO2015099607A1 (en) An integrated access control and identity management system
CA2713320C (en) Method and apparatus for detecting behavior in a monitoring system
US20090216587A1 (en) Mapping of physical and logical coordinates of users with that of the network elements
US10325095B2 (en) Correlating a task with a command to perform a change ticket in an it system
EP3590100B1 (en) Spatio-temporal topology learning for detection of suspicious access behavior
CN105378648A (en) Self-provisioning access control
WO2008051736A2 (en) Architecture for unified threat management
CN103473844A (en) Intelligent control method and intelligent control system for public rental housing
JP4213411B2 (en) User authentication system, user authentication method, and program for causing computer to execute the method
CN117527430A (en) Zero-trust network security dynamic evaluation system and method
CN101324913B (en) Method and apparatus for protecting computer file
AU2004216053A1 (en) Administering a security system
US20200050757A1 (en) Action monitoring apparatus, system, and method
JP2006260293A (en) Method for holding secret information, information protection system, access authority management device and program
JP5524250B2 (en) Abnormal behavior detection device, monitoring system, abnormal behavior detection method and program
US10229549B2 (en) System for authorization control and breath testing
Rowland et al. Evaluation of the Appropriateness of Trust Models to specify Defensive Computer Security Architectures for Physical Protection Systems.
Shane Managing the training a guard in the operation of a high-tech facility access control system
CN117037347A (en) Building access control system and control flow thereof
Silowash Insider threat attributes and Mitigation strategies
Kuldashevna TECHNOLOGIES FOR PROVIDING INFORMATION PROTECTION
Evans Access Control
CN117539951A (en) Visitor management method, device, equipment and storage medium
CN118157982A (en) Electric power system network safety protection method and system based on identity recognition
CN118504002A (en) Data security protection method and device for identity security

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14873168

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2014370501

Country of ref document: AU

Date of ref document: 20140430

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14873168

Country of ref document: EP

Kind code of ref document: A1