+

WO2025134208A1 - Access management system, access management method and program - Google Patents

Access management system, access management method and program Download PDF

Info

Publication number
WO2025134208A1
WO2025134208A1 PCT/JP2023/045362 JP2023045362W WO2025134208A1 WO 2025134208 A1 WO2025134208 A1 WO 2025134208A1 JP 2023045362 W JP2023045362 W JP 2023045362W WO 2025134208 A1 WO2025134208 A1 WO 2025134208A1
Authority
WO
WIPO (PCT)
Prior art keywords
pep
access
peps
access control
monitoring information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/JP2023/045362
Other languages
French (fr)
Inventor
Nakul GHATE
Shohei Mitani
Tomohiko Yagyu
Hirofumi Ueda
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NEC Corp
Original Assignee
NEC Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NEC Corp filed Critical NEC Corp
Priority to PCT/JP2023/045362 priority Critical patent/WO2025134208A1/en
Publication of WO2025134208A1 publication Critical patent/WO2025134208A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems

Definitions

  • the present disclosure relates to an access management system, an access management method and a program.
  • Access control is a typical security tool to prevent network attacks.
  • the first step is to create policy rules that define who is allowed to perform what operations on it. Then, according to those rules, user actions are allowed or denied.
  • Patent Literature 1 discloses access control information distribution apparatus.
  • the access control information distribution apparatus includes distribution determination unit configured to determine a destination device to which an access control policy is distributed on the basis of at least one of condition which permits access to an object and an attribute of the object; and a policy distribution unit configured to distribute an access control policy to a destination device determined by the distribution determination unit.
  • the invention aims to realize access control to an object using complicated conditions.
  • PTL 1 discloses that the access control information distribution apparatus uses static condition and/or attribute information, therefore, it does not mention how to solve the problem above.
  • An object of the present disclosure is to provide an access management system, an access management method and a program capable of maintaining security and system efficiency under changing circumstances. It should be noted that this object is only one of a plurality of objects that a plurality of example embodiments disclosed herein seek to achieve. Other objects or issues and new features are apparent from the description or accompanying drawings herein.
  • an access management system that includes: an obtaining means for obtaining monitoring information and one or more access control policies, wherein the monitoring information is generated by monitoring a target system subject to access control; and a Policy Enforcement Point (PEP) selection means for selecting one or more PEPs of the target system to enforce the one or more access control policies based on the monitoring information.
  • PEP Policy Enforcement Point
  • an access management method that includes: obtaining monitoring information and one or more access control policies, wherein the monitoring information is generated by monitoring a target system subject to access control; and selecting one or more PEPs of the target system to enforce the one or more access control policies based on the monitoring information.
  • a program for causing a computer to execute: obtaining monitoring information and one or more access control policies, wherein the monitoring information is generated by monitoring a target system subject to access control; and selecting one or more PEPs of the target system to enforce the one or more access control policies based on the monitoring information.
  • An object of the present disclosure is to provide an access management system, an access management method and a program capable of maintaining security and system efficiency under changing circumstances.
  • Fig. 1 is an example of a block diagram of an access management system according to the present disclosure.
  • Fig. 2 is an example of a flowchart illustrating a method of the access management system according to the present disclosure.
  • Fig. 3 is an example of a block diagram of an access control system according to the present disclosure.
  • Fig. 4 is a schematic diagram for illustrating an example to be applied in the access control system.
  • Fig. 5 is a schematic diagram for illustrating balancing of mis-control and security using Active Directory and application firewall example to be applied in the access control system.
  • Fig. 6 is a schematic diagram for illustrating balancing of mis-control and security using Active Directory and application firewall example to be applied in the access control system.
  • Fig. 1 is an example of a block diagram of an access management system according to the present disclosure.
  • Fig. 2 is an example of a flowchart illustrating a method of the access management system according to the present disclosure.
  • Fig. 3 is an example of a block diagram of an
  • FIG. 7 is a schematic diagram for illustrating high urgency example to be applied in the access control system.
  • Fig. 8 is an example of a flowchart illustrating a method of the access control system according to the present disclosure.
  • Fig. 9 is a drawing illustrating an example of a hardware configuration of the computer system applicable to the access management system 10 and/or the access control system.
  • At least one of A or B may mean any one of A or B, or both A and B.
  • at least one is used for three or more elements, it can mean any one of these elements, or any plurality of elements (including all elements).
  • Use of the term “and/or” means that each option is usable individually or in combination with any, or all, of the other options.
  • the access management system 10 includes an obtaining unit 12 and a Policy Enforcement Point (PEP) selection unit 14.
  • the access management system 10 may be one or more computers and/or machines.
  • at least one of components in the access management system 10 can be installed in a computer as a combination of one or a plurality of memories and one or a plurality of processors.
  • the computer(s) used as the access management system 10 may be a management server or a controller provided in or outside a target system subject to access control.
  • the obtaining unit 12 obtains monitoring information and one or more access control policies.
  • the monitoring information is generated by monitoring a target system subject to access control. Any method can be used to monitor the target system.
  • the access control policy can determine a user action (e.g. access to a resource) is allowed or denied and/or suggest one or more countermeasures against the user action in the target system.
  • the monitoring information may relate to at least one of the parameters; a device state, resource state, user state, and network state.
  • the monitoring information include, but is not limited to, at least one of the following parameters; - Security (e.g. Threat cause), - Attack vectors, - Business impact, - Determining access path, - Availability of PEP(s), - Workload of PEP(s), - Enforcement Cost, - Mis-control Cost due to denial of access, - Urgency of access, - User Roles, and - Resource status.
  • - Security e.g. Threat cause
  • - Attack vectors e.g. Threat cause
  • - Business impact e.g. Threat cause
  • Availability of PEP(s) e.g.
  • PEP(s) e.g.
  • - Enforcement Cost e.g., - Mis-control Cost due to denial of access
  • Urgency of access e.gency of access
  • the monitoring information and/or the one or more access control policies obtained by the obtaining unit 12 can be stored in or outside in the access management system 10. Further, monitoring the target system and generating the monitoring information can be performed by access management system 10 or another computer.
  • the PEP selection unit 14 selects one or more PEPs of the target system to enforce the one or more access control policies based on the monitoring information. If the monitoring information changes as time passes, the PEP selection unit 14 can select PEP(s) different from before the time passes. Therefore, the PEP selection unit 14 can select PEP(s) dynamically.
  • the obtaining unit 12 obtains monitoring information and one or more access control policies (step S12).
  • the PEP selection unit 14 uses the monitoring information to select one or more PEPs of the target system to enforce the one or more access control policies (step S14).
  • the PEP selection unit 14 selects PEP(s) to enforce the one or more access control policies based on the monitoring information, the PEP selection unit 14 can select necessary PEP(s) according to the change of situation, while not selecting unnecessary PEP(s) according to the change of situation. Therefore, the access management system 10 can maintain security and system efficiency under changing circumstances.
  • enforcing access control on a network level enforcing point such as a router, a Layer-3 switch
  • an identity-based access control point such as Active Directory
  • enforcing access control on a network level enforcing point such as a router, a Layer-3 switch
  • an identity-based access control point such as Active Directory
  • This may reflect in losses in business due to denial of resources at mission-critical services or denial of essential resource access, etc.
  • the distribution of access control functions at different PEPs can greatly benefit by automation of the distribution process. It reduces the risk of human errors, deployment of conflicting rules, and provides a more suitable PEP choice by monitoring the status of assets, logging the access requests and analyzing the deployed rules on the PEPs.
  • the access control can become inefficient and prone to human errors and conflicting rules.
  • the access control can become inefficient in terms of enforcement cost, latency in access, workload and denial of essential service, etc.
  • the best choice of access control PEP(s) depends on analyzing several dynamic factors which balance the trade-offs among goal advantages.
  • the goal advantages include, but not limited to, preserving security, reducing workload and/or enforcement cost and minimizing the mis-control due to denial of access.
  • Such factors vary dynamically according to the change in environment. Therefore, a particular choice of PEP(s) suitable at one instance may not necessarily be suitable at another instance even while controlling access in the same application, to same resource from the same device. Therefore, analyzing such dynamic factors results in choosing the most desirable PEP(s) among the pool of capable PEP(s). It is required to dynamically evaluate such a desirability to determine the suitable PEP(s) so as to balance the trade-offs, and to apply policy rules suitable for the determined PEP(s).
  • one object of the present disclosure is to provide an access control system, access control method, and access control program that contribute to balance the above-mentioned trade-offs by choosing the most desirable PEP(s).
  • Fig. 3 is an example of a block diagram of an access control system.
  • the access control system 100 includes a monitoring unit 101, a policy database 102, a mapping module 110, a PEP selection module 120, and a rule generator 130.
  • a monitoring unit 101 includes a monitoring unit 101, a policy database 102, a mapping module 110, a PEP selection module 120, and a rule generator 130.
  • the monitoring unit 101 monitors a target system subject to access control.
  • the target system stores a Resource R to be accessed and includes PEPs controlling access to resources such as the Resource R.
  • the PEPs may enforce access control at different layers according to the Open Systems Interconnection (OSI) model.
  • OSI Open Systems Interconnection
  • one PEP may enforce network layer access control while the other PEP may enforce application layer access control.
  • two PEPs may enforce access control at the same layer but at different access granularities. For instance, one PEP enforces application layer access control per User-granularity while the other PEP enforces application layer access control per Resource-granularity.
  • two PEPs enforce access control at the same layer and at the same granularity but their physical locations or logical placements are different. For instance, one PEP enforces access control at the network interface (such as firewall), while the other PEP enforces access control at the operating system interface (such as containers). For another instance, one PEP enforces application layer access control at the client side (such as web browser), while the other PEP enforces application layer access control at the server side (such as firewall).
  • the monitoring unit 101 generates monitoring information I by the monitoring and outputs the monitoring information I to the mapping module 110 and the PEP selection module 120.
  • the detail of the monitoring information is already explained in the first example embodiment and omitted here.
  • the monitoring unit 101 monitors a suspicious login attempt in which a user A accesses the Resource R and generates the monitoring information I indicating an access request in which the user A is accesses the Resource R.
  • the monitoring information I can vary dynamically.
  • the policy database 102 stores a plurality of access control policies (Hereinafter also referred to simply as policy). As shown above, the policy determines user actions are allowed or denied in the target system.
  • the policy database 102 has its input as the monitoring information I, analyzes the monitoring information I and selects one or more of the policies P considered appropriate for the situation indicated by the monitoring information I. Hereinafter, one or more of the policies P will be collectively referred to as the policy P.
  • the policy database 102 outputs the policy P to the mapping module 110.
  • the policy P can vary dynamically with the monitoring information I.
  • the mapping module 110 has its input as the monitoring information I and the policy P from the policy database. Further, the mapping module 110 has its input as a pool of PEPs where any policy is applicable. The pool of PEPs may be stored in a memory (not shown in Fig. 3). The mapping module 110 analyzes the monitoring information I and the policy P, and then selects, from the pool of PEPs, a list of capable PEPs (namely, candidate PEPs) on which the given policy P can be applied and output the list of capable PEPs. As with the policy P, the list of capable PEPs can vary with the monitoring information I.
  • mapping module 110 can keep track of the capable PEPs by establishing a series of connection to the remote capable PEPs.
  • the mapping module 110 can use a SYN-ACK handshake method, however, the method is not limited to this.
  • the PEP selection unit 122 ranks the desirability score calculated by the score calculation unit 121 and selects one or more of the PEPs.
  • one or more of the PEPs will be collectively referred to as the PEP.
  • the PEP selection unit 122 may select the PEP with the highest desirability score as one or more optimal enforcement points for access control corresponding to a given access request.
  • the selection method performed by the PEP selection unit 122 is not limited to this.
  • the PEP selection unit 122 may select the PEP with desirability scores above a predetermined threshold.
  • the PEP selection unit 122 may select the PEP whose scores are higher than a predetermined ranking.
  • the rule generator 130 takes the policy P selected by the PEP selection unit 122 for access control and creates one or more of specific access rules to be applied by the PEPs.
  • one or more of specific access rules will be collectively referred to as the specific access rule.
  • the rule generator 130 may convert the format of the policy P into one enforceable at the PEPs selected by the PEP selection unit 122 to generate the specific access rule.
  • the rule generator 130 also contains a module to transfer the specific access rule to the PEP selected by the PEP selection unit 122.
  • the specific access rule can be transferred remotely by a central controller, such as an SDN controller. Alternatively, the transfer can be performed in a distributed manner. In such a distributed arrangement, rule generators constituting the rule generator 130 are distributed and placed on each PEP. The policy P is transferred remotely to these distributed rule generators and converted into the specific access rules which can be applied by each PEP.
  • the monitoring information I and the Policy P are first analyzed by the mapping module 110 to create the list of capable PEPs on which the policy P can be enforced. Then, the desirability score is calculated and tabulated corresponding to each PEP by the score calculation unit 121 inside PEP selection module 120.
  • the score calculation unit 121 may consider several parameters to calculate the desirability score, while the several parameters reflect the requirements from the access control system 100.
  • the PEP selection unit 122 selects one or more PEPs which are top ranked in the desirability table. The one or more PEPs are regarded as the most optimal PEP(s) for policy enforcement.
  • the rule generator 130 creates enforceable rules from the policy P to be enforced at the selected PEP(s).
  • the policy P includes access decisions corresponding to the access request indicated in the monitoring information I.
  • the access request in its simplest form contains identifiers of the subject requesting the access, identifiers of the resource requested by the subject, identifiers of the resource to which the access control should be performed, identifiers of the operation requested by the subject on the resource and/or timestamp of access.
  • the monitoring information I may contain additional information about the subject and/or resource as well as the network.
  • the monitoring information I may further contain several contextual information regarding the access.
  • the access decisions in the Policy P may be comprised of Allow or Deny decisions corresponding to different attributes collected by the dynamically monitored information I.
  • the Policy P may also contain countermeasure steps to obtain the access permissions in case where a Deny decision is given for an access request based on the monitoring information I.
  • the mapping module 110 obtains the list of all capable PEPs on which the access control rules can be enforced at the current time, i.e. the processing execution timing of the access control system 100.
  • the list may contain different types of PEPs for multi-layer access control, for instance, but not limited to: (1) File I/O access control; (2) Container-level access control; (3) Inter-Process Communication (IPC) level access control determining rules for inter-process communication; (4) OS-level access control; (5) Basic Input Output System (BIOS) level access control; (6) Hardware-level access control determining who can perform sensitive operations such as updating firmware; (7) Layer 2 access control such as OpenFlow; (8) Network access control at Layer 3 such as packet filtering firewall; (9) Transport layer access control such as stateful firewall; (10) Application layer access control such as application firewall, deep-packet inspection; and/or (11) Identity based access control such as Identity Access Management, Active Directory, etc.
  • IPC Inter-Process Communication
  • BIOS Basic Input Output System
  • BIOS
  • the mapping module 110 analyzes the Policy P and, from the capable PEPs, determines the PEPs which are capable to enforce such the Policy P. Then, the mapping module 110 outputs the determined capable PEPs as a list.
  • the policy P is "deny access to sensitive resources from User U"
  • this policy can be applied by 1) each application firewall on the sensitive resources, 2) Identity access control PEPs such as active directory, 3) a network level PEP from which the user U requests access, and 4) layer 2 switches such as OpenFlow, among other PEPs.
  • the access policy P may not be enforced by some PEPs such as File I/O, because they would allow intrusion inside resource servers before such an access control is performed. This may result in security breach.
  • the score calculation unit 121 calculates the desirability score for all the capable PEPs selected by the mapping module 110. For this calculation, the score calculation unit 121 comparers several parameters related to for instance, but not limited to, security, enforcement cost, workload, and/or mis-control due to denial of access among others. The several parameters may reflect the requirements of business. The following are examples of the calculation performed by the score calculation unit 121: (1) Calculating the desirability of the PEP for policy enforcement by considering the cost of mis-control due to denial of access. For instance, when the access is restricted at User access control level, such as Active Directory and other Identity Access Management based access control, enforcing User access control by the PEP restricts access to plurality of access from the user.
  • User access control level such as Active Directory and other Identity Access Management based access control
  • the access policy denies an access request to a resource on account of a malicious activity being detected by the system, and on account of that it is necessary to enforce access control quickly.
  • the desirability of the PEP which can quickly update the access control rules and enforce new policies are higher.
  • user-based access control such as Active Directory often controls access using session tokens which have relatively longer expiry time compared to sessions in application-level access control such as resource firewall.
  • application-level access control such as resource firewall.
  • the desirability of the resource firewall will be greater compared to the Active Directory; (4) Calculating the desirability of the PEP for policy enforcement by considering the workload on the PEP during enforcement.
  • the PEP which enforces a single policy with a greater number of rules are bound to have a higher workload compared to PEPs which enforce it with fewer rules. Having a higher workload increases the decision latency, and enforcement cost in terms of increased storage and computing power. Therefore, the PEP with lower workload will have relatively larger desirability; and/or (5) Calculating the desirability of the PEP for policy enforcement by considering the denial coverage. For instance, a PEP which enforces a deny policy with a single rule and is able to cover multitude of deny cases may be preferred over another PEP which uses a greater number of rules to cover the same number of deny cases. This is partly due to workload requirements and partly due to better security achievements of the former one.
  • the score calculation unit 121 assigns numerical scores to all the PEPs selected by the mapping module 110.
  • the numerical scores may be assigned such that it is easier to rank the PEPs from the most desirable to the least desirable based on the assigned scores.
  • the most easily achievable method is to calculate the desirability score as a weighted sum.
  • the desirability score for each PEP is obtained by first calculating the scores of the PEP corresponding to each considered parameter for desirability calculation, then assigning a weight to each calculated value.
  • the desirability score of the PEP as the result is then calculated as the weighted sum of the parameter score values.
  • the equation for the weighted sum is as follows.
  • the desirability score for the PEP x is: where, D is the desirability score for the PEP x , i is the parameter(s) considered for the desirability calculation, w i is the weight given to the parameter i, and s i is the score calculated for the parameter i for PEP x .
  • Assignment of the weights is an essential step for calculating the desirability score.
  • the assignment of the weights may differ in several example embodiments of the present disclosure.
  • the assignment of the weights can be performed as in the following examples, but are not limited thereto.
  • the weights corresponding to each parameter in the calculation of the desirability score can be manually set by the security operator.
  • the security operator compares the relative importance of each parameter over the other and assigns appropriate weights to each of them.
  • the weights may be set dynamically, and any other parameter may be selected over the other depending on the situation. For instance, in case where a security incident is reported, the relative importance of security is higher over workload or mis-control cost.
  • AHP Analytic Hierarchy Process
  • AHP utilizes the relative dominance among a pair of parameters. The relative dominance among a pair of parameters is set by the operator. Then the algorithm automatically computes the weights of the parameter.
  • methods to automatically compute the weights without the input of operator can be utilized such as algorithms which can automatically learn the weights for each parameter of the desirability calculation. For instance, machine learning and artificial intelligence is utilized to learn the parameter weights given enough training data from the logs of previous access control decisions or synthetically generated access control log data.
  • the PEP selection unit 122 is responsible to finally select the PEP on which the final access control policy is enforced. It may perform the selection by ranking the PEPs in the decreasing order of their desirability scores. Then based on the desired security, it may select one or more of PEPs among the top or high ranked PEPs. The PEPs with low desirability scores are not suitable for enforcing access control, and vice versa.
  • the number of PEPs selected by the PEP selection unit 122 depends on the desired security requirements of business. In case of multi-layer security, multiple PEPs may be selected for defense-in-depth. For instance, consider two PEPs are the top-ranked PEPs in the desirability calculation. One PEP performs User-granular access control, like Active Directory, and the other PEP performs access control at each resource level, like Application Firewall. Then, in one of the example embodiments, the PEP selection unit 122 may select both the PEPs for enforcing the access policy considering the viewpoint "if multi-layer defense access control is desired". In another example embodiment, only one of the PEP may be selected in case where the security is not much of a concern, but the cost of policy enforcement or latency is the concern.
  • the rule generator 130 creates specific rules from the policy P by converting the policy P so the specific rules can be enforced at the PEP(s) selected by the PEP selection unit 122. As each PEP may have a specific format of enforceable rules based on access granularity or vendor specification, the converting process may be required.
  • PDP Policy Decision Point
  • PEP Policy Enforcement Points
  • Fig. 4 is a schematic diagram for illustrating an example to be applied in the access control system 100.
  • the system in Fig. 4 consists of a control plane, corresponding to the PDP above, and several PEPs.
  • a Software Defined Network (SDN) controller in the control plane is responsible to decide which the PEP should be allowed to control the access for a given request.
  • SDN Software Defined Network
  • a PEP 1 "IP management”, prevents spoofing and impersonation of a user
  • a PEP 2 "Device EDR”, restricts malicious device(s) and prevents device spoofing
  • a PEP 3 "Network Firewall”, restricts malicious device(s) and restricts malicious network activity
  • a PEP k+1 "Application Firewall” restricts unauthorized requests and prevents application layer attacks
  • a PEP k+2, "Container Firewall” restricts unauthorized commands.
  • the access control system 100 can be fit inside the SDN (or PDP) controller which would dynamically send the policy in the form of enforceable rules on the selected PEP(s).
  • SDN or PDP
  • PDP PDP
  • Such a setting can be enforced in a centralized manner with the SDN controller located in the remote cloud while PEPs are scattered among multiple places.
  • the setting can be enforced locally in an edge-cloud setting where some functionality of the access control system is located in the cloud. For example, PEP mapping function and desirability score calculation is located in the cloud, while the rest functions, such as a rule generator, are located at the edge.
  • Fig. 5 is a schematic diagram for illustrating balancing of mis-control and security using Active Directory and application firewall example to be applied in the access control system 100.
  • the access control is not enforced on the Active Directory on account of suspicious user activity (user access to a confidential resource 1 and a normal and essential resource 2) detected by the system, because it will result in denial of not only confidential resource but also essential resource. This situation caused by the coarse-grained access control results in the increased mis-control cost, which is not desirable.
  • the access control is enforced at resource firewall which only blocks access to the confidential resource from the user, while the access to the essential resource is allowed.
  • the choice of application firewall over active directory is made by calculating the desirability score by the PEP selection module inside the controller as shown in Fig. 5.
  • the desirability score for an authenticator PEP (Active Directory) is 0.4
  • the desirability score for the application firewall is 0.8. Therefore, by the PDP (or SDN) to which the access control system 100 is applied, the application firewall is selected which an appropriate Deny rule should be applied to.
  • the appropriate Deny rule is enforced at the Application Firewall as the result.
  • Figs. 6 and 7 the same points as in Fig. 5 will be appropriately omitted.
  • Fig. 6 is a schematic diagram for illustrating balancing of mis-control and security using Active Directory and application firewall example to be applied in the access control system 100.
  • the access control is now enforced at the Active Directory because the malicious activity is being detected by the system and the evidence is too much to ignore.
  • the desirability calculation function ranks Active Directory over application firewall to satisfy the security requirements even at the loss of mis-control.
  • the desirability score for an authenticator PEP (Active Directory) is 0.8
  • the desirability score for the application firewall is 0.4.
  • the ranking indicates that the loss due to security breach will be much harmful compared to the loss due to denial of essential service.
  • An appropriate Deny rule is enforced at the Active Directory as the result.
  • Fig. 6 a different situation will be considered for Fig. 6.
  • threat cause will be considered. If the cause of the denial of access is determined to be "multiple failed authentications", the trust of the user who wants to access the resources gets drastically reduced. For such a case, by considering the threat cause, the access control system 100 can calculate the desirability of each PEP and determine the User access control in the form of Active Directory to be the most suitable PEP for enforcing the deny policy. An appropriate Deny rule is enforced at the Active Directory as the result.
  • Fig. 5 a different situation will be considered for Fig. 5.
  • threat cause will be considered. If the cause of the denial of access is determined to be "high confidentiality of resource", the security of the confidential resource over its untrusted access gets prioritized. For such a case, by considering the threat cause, the access control system 100 calculates the desirability of each PEP and determines the resource access control in the form of Application Firewall to be the most suitable PEP for enforcing the deny policy. An appropriate Deny rule is enforced at the Application Firewall as the result.
  • Fig. 7 is a schematic diagram for illustrating high urgency example to be applied in the access control system 100.
  • PEPs which are capable to enforce the Deny policy, namely Active Directory enforcing user level access control, application firewall enforcing resource level access control and Layer-3 gateway device enforcing Network level access control.
  • network access control would be the quickest way to restrict access in case of urgency - the network access control restricts any access from the malicious user or device.
  • the access control system 100 selects the Layer-3 gateway device to enforce the access control as the PEP selection module in the PDP will select the Layer-3 gateway with highest desirability.
  • the desirability score for an authenticator PEP is 0.4
  • the desirability score for the application firewall is 0.5
  • the desirability score for the Layer-3 gateway is 0.8.
  • the ranking indicates that the high urgency situation is happening. In this way, an appropriate Deny rule is enforced at the Layer-3 gateway device as the result.
  • a different situation will be considered for Fig. 7.
  • a low urgency example will be considered.
  • the malicious activity is detected from the user or device; however, the urgency is low.
  • the PEP selection module in the PDP will not select the Layer-3 gateway device to enforce access control, because it will also restrict the access to the destination network from all the devices on the source network. This restriction reduces the availability of services to other users or access subjects.
  • the desirability of the Active Directory enforcing user level access control will be higher as it will restrict all access from the malicious user.
  • the access revocation might be slow as the user can still access some of the resources on the destination network using previously received session tokens.
  • this solution may come out to be the most optimal one.
  • the desirability score for an authenticator PEP Active Directory
  • the desirability score for the application firewall is 0.5
  • the desirability score for the Layer-3 gateway is 0.4.
  • the ranking indicates that selecting the Active Directory is suitable. In this way, an appropriate Deny rule is enforced at the Active Directory as the result.
  • the monitoring unit 101 generates monitoring information I by monitoring a target system (step S22).
  • the monitoring unit 101 monitors a suspicious activity by a user A, specifically, the monitoring unit 101 detects that the user A is accessing an unauthorized resource R in a target system. Then, the monitoring unit 101generates and outputs the monitoring information I indicating an access request in which the user is accesses the unauthorized resource R.
  • the policy database 102 analyzes the monitoring information I and selects the policy P considered appropriate for the situation described by the monitoring information I (step S24).
  • the policy P selected by the policy database 102 is "Deny access from user A to Resource R" as an appropriate response towards the access.
  • the policy database 102 outputs the policy P to the mapping module 110.
  • the mapping module 110 analyzes the policy P and the user activity indicated by the monitoring information I, and then generates and outputs a list of capable PEPs on which the given policy P can be applied as a result of the analysis (step S26).
  • the list of capable PEPs indicates: authenticator (i.e. Active Directory, enforcing user-granular access control), Layer-2 switch (enforcing device granular access control), Layer-3 switch (enforcing network access control with IP address-based rules) and application firewall (enforcing resource-granular access control) which are capable to enforce the policy P.
  • the score calculation unit 121 calculates a desirability score for each PEP from the list of capable PEPs and generates a table of the calculated desirability scores (step S28).
  • the score calculation unit 121 analyzes the following several parameters as several dynamic factors F: mis-control due to access denial, threat cause, urgency level, access granularity, security coverage, and workload of PEPs among others.
  • the PEP selection unit 122 ranks the desirability score in the order of their desirability scores and selects the top ranked PEP(s) in the desirability score table (step S30).
  • the PEP selection unit 122 determines the one or more of top ranked PEPs as the most desirable access control enforcement point(s) and the subjects of enforcement the given policy P. For example, if the score of the Active Directory is 0.8, the score of the Layer-2 switch is 0.6, the score of the Layer-3 switch is 0.6 and the score of the application firewall switch is 0.4, the PEP selection unit 122 selects the Active Directory as the top ranked PEP.
  • the rule generator 130 convers the policy P to generate enforceable rules (specific access rules) to each selected PEP(s) for enforcing access control (step S32). For example, the rule generator 130 generates the enforceable rules indicating that the access by the user A should be blocked for one day, such as ⁇ "userToBlock”: “user A” "set blockDuration: 1 day” "Disable-AD account” ⁇ . The rule generator 130 distributes the enforceable rules to the selected PEP(s) for desired access control enforcement. Then, the rule generator 130 outputs the enforceable rules to the selected PEP(s).
  • the access control system 100 can maintain security and system efficiency under changing circumstances. Specifically, the access control system 100 can contribute to balance the trade-offs above-mentioned by choosing the most desirable PEP(s).
  • mapping module 110 can select one or more PEPs using the monitoring information I and the policy P. Therefore, the access control system 100 can select the PEPs to enforce the policy more correctly.
  • the score calculation unit 121 can calculate evaluation for each PEP candidate and selects the one or more PEPs from the PEP candidates based on the evaluation. Therefore, by using the evaluation, the access control system 100 can select the PEPs to enforce the policy more correctly.
  • the score calculation unit 121 can calculate the evaluation for each PEP candidate by weighting differently depending on a plurality of factors. Therefore, by refining the calculation, the access control system 100 can select the PEPs to enforce the policy more correctly.
  • the score calculation unit 121 can calculate the evaluation so that the evaluation changes as the monitoring information changes. Therefore, by reflecting dynamically changing information, the access control system 100 can allow for situation-based selection.
  • mapping module 110 can select the PEP candidates from PEPs of the target system by establishing a series of connection to remote PEPs of the target system. Therefore, the access control system 100 can make the remote PEPs to enforce the policy P and ensure security.
  • the rule generator 130 can convert the policy P to one or more rules conforming to the one or more PEPs selected by the PEP selection unit 122. Therefore, it is possible to ensure that the policy P is enforced in the selected PEP(s) and to ensure that security is effective.
  • the computer 200 includes a Central Processing Unit (CPU) 210, a primary storage device 220, an auxiliary storage device 230, and a Network Interface Card (NIC) 240, which is a communication interface.
  • CPU Central Processing Unit
  • NIC Network Interface Card
  • the type of the communication interface is not limited to this. These elements are connected to each other by, for instance, an internal bus.
  • the CPU 210 is one example of a processor. Instead of the CPU, for example, a microprocessor or an MPU (Micro Processing Unit) can be used. Further, the computer 200 may include a plurality of processors. In this case, each of the processors executes one or a plurality of programs including a group of instructions to cause a computer to perform an algorithm explained above with reference to the drawings.
  • a microprocessor or an MPU (Micro Processing Unit) can be used.
  • MPU Micro Processing Unit
  • the computer 200 may include a plurality of processors. In this case, each of the processors executes one or a plurality of programs including a group of instructions to cause a computer to perform an algorithm explained above with reference to the drawings.
  • the primary storage device 220 temporarily stores the program executed by the computer 200 so that the CPU 210 can process it.
  • the primary storage device 220 includes, for example, a semiconductor memory (for example, Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable and Programmable ROM (EEPROM), and/or a storage device including at least one of Hard Disk Drive (HDD), SSD (Solid State Drive), Compact Disc (CD), Digital Versatile Disc (DVD) and so forth. From another point of view, the primary storage device 220 is formed by a volatile memory and/or a nonvolatile memory.
  • the primary storage device 220 may include a storage disposed apart from the CPU 210. In this case, the CPU 210 may access the primary storage device 220 through the NIC.
  • implementation of the access management system 10 and/or the access control system 100 can be done not only in one computer system but also in a plurality of computer systems.
  • one computer system can send/receive data needed for operations processed in the access management system 10 and/or the access control system 100 to/from another computer system to achieve the operations.
  • An access management system comprising: an obtaining means for obtaining monitoring information and one or more access control policies, wherein the monitoring information is generated by monitoring a target system subject to access control; and a Policy Enforcement Point (PEP) selection means for selecting one or more PEPs of the target system to enforce the one or more access control policies based on the monitoring information.
  • PEP Policy Enforcement Point
  • An access management method performed by a computer comprising: obtaining monitoring information and one or more access control policies, wherein the monitoring information is generated by monitoring a target system subject to access control; and selecting one or more Policy Enforcement Point (PEP)s of the target system to enforce the one or more access control policies based on the monitoring information.
  • PEP Policy Enforcement Point
  • the access management method according to Supplementary Note 10 wherein further comprising: selecting the one or more PEPs using the monitoring information and the one or more access control policies.
  • the access management method according to Supplementary Note 11 wherein further comprising: calculating evaluation for each PEP candidate and selects the one or more PEPs from the PEP candidates based on the evaluation.
  • access management system 12 obtaining unit 14 PEP selection unit 100 access control system 101 monitoring unit 102 policy database 110 mapping module 120 PEP selection module 121 score calculation unit 122 PEP selection unit 130 rule generator 200 computer 210 CPU 220 primary storage device 230 auxiliary storage device 240 NIC

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

An object of the present disclosure is to provide an access management system, an access management method and a program capable of maintaining security and system efficiency under changing circumstances. In one aspect, an access management system includes: an obtaining unit for obtaining monitoring information and one or more access control policies, wherein the monitoring information is generated by monitoring a target system subject to access control; and a Policy Enforcement Point (PEP) selection unit for selecting one or more PEPs of the target system to enforce the one or more access control policies based on the monitoring information.

Description

ACCESS MANAGEMENT SYSTEM, ACCESS MANAGEMENT METHOD AND PROGRAM
  The present disclosure relates to an access management system, an access management method and a program.
Access control is a typical security tool to prevent network attacks. In access control, the first step is to create policy rules that define who is allowed to perform what operations on it. Then, according to those rules, user actions are allowed or denied.
Patent Literature 1 (PTL 1) discloses access control information distribution apparatus. The access control information distribution apparatus includes distribution determination unit configured to determine a destination device to which an access control policy is distributed on the basis of at least one of condition which permits access to an object and an attribute of the object; and a policy distribution unit configured to distribute an access control policy to a destination device determined by the distribution determination unit. The invention aims to realize access control to an object using complicated conditions.
PTL 1: Japanese Unexamined Patent Application Publication No. 2011-197903
Static choice of destination devices may cause inefficiency in large and dynamic cyber physical systems. Moreover, smart malicious actors can easily figure out static logic of policy implementation. PTL 1 discloses that the access control information distribution apparatus uses static condition and/or attribute information, therefore, it does not mention how to solve the problem above.
  An object of the present disclosure is to provide an access management system, an access management method and a program capable of maintaining security and system efficiency under changing circumstances. It should be noted that this object is only one of a plurality of objects that a plurality of example embodiments disclosed herein seek to achieve. Other objects or issues and new features are apparent from the description or accompanying drawings herein.
  According to one aspect of the disclosure, there is provided an access management system that includes:
  an obtaining means for obtaining monitoring information and one or more access control policies, wherein the monitoring information is generated by monitoring a target system subject to access control; and
  a Policy Enforcement Point (PEP) selection means for selecting one or more PEPs of the target system to enforce the one or more access control policies based on the monitoring information.
  According to one aspect of the disclosure, there is provided an access management method that includes:
  obtaining monitoring information and one or more access control policies, wherein the monitoring information is generated by monitoring a target system subject to access control; and
  selecting one or more PEPs of the target system to enforce the one or more access control policies based on the monitoring information.
  According to one aspect of the disclosure, there is a program for causing a computer to execute:
  obtaining monitoring information and one or more access control policies, wherein the monitoring information is generated by monitoring a target system subject to access control; and
  selecting one or more PEPs of the target system to enforce the one or more access control policies based on the monitoring information.
  An object of the present disclosure is to provide an access management system, an access management method and a program capable of maintaining security and system efficiency under changing circumstances.
Fig. 1 is an example of a block diagram of an access management system according to the present disclosure. Fig. 2 is an example of a flowchart illustrating a method of the access management system according to the present disclosure. Fig. 3 is an example of a block diagram of an access control system according to the present disclosure. Fig. 4 is a schematic diagram for illustrating an example to be applied in the access control system. Fig. 5 is a schematic diagram for illustrating balancing of mis-control and security using Active Directory and application firewall example to be applied in the access control system. Fig. 6 is a schematic diagram for illustrating balancing of mis-control and security using Active Directory and application firewall example to be applied in the access control system. Fig. 7 is a schematic diagram for illustrating high urgency example to be applied in the access control system. Fig. 8 is an example of a flowchart illustrating a method of the access control system according to the present disclosure. Fig. 9 is a drawing illustrating an example of a hardware configuration of the computer system applicable to the access management system 10 and/or the access control system.
  Example embodiments according to the present disclosure will be described hereinafter with reference to the drawings. Note that the following description and the drawings are omitted and simplified as appropriate for clarifying the explanation. Further, the same elements are denoted by the same reference numerals and/or letters throughout the drawings, and redundant descriptions thereof are omitted as required. This repetition is for the purpose of simplicity and clarity and does not in itself dictate a relationship between the various embodiments and/or configurations discussed.
  Also, in this disclosure, unless otherwise specified, "at least one of A or B (A/B)" may mean any one of A or B, or both A and B. Similarly, when "at least one" is used for three or more elements, it can mean any one of these elements, or any plurality of elements (including all elements). Use of the term "and/or" means that each option is usable individually or in combination with any, or all, of the other options. Further, it should be noted that in the description of this disclosure, elements described using the singular forms such as "a", "an", "the" and "one" may be multiple elements unless explicitly stated.
  Each of the drawings or figures is merely an example to illustrate one or more example embodiments. Each figure may not be associated with only one particular example embodiment, but may be associated with one or more other example embodiments. As those of ordinary skill in the art will understand, various features or steps described with reference to any one of the figures can be combined with features or steps illustrated in one or more other figures, for example, to produce example embodiments that are not explicitly illustrated or described. Not all of the features or steps illustrated in any one of the figures to describe an example embodiment are necessarily essential, and some features or steps may be omitted. The order of the steps described in any of the figures may be changed as appropriate.
  (First Example Embodiment)
  <Configuration Description>
  Referring to Fig. 1, the access management system 10 includes an obtaining unit 12 and a Policy Enforcement Point (PEP) selection unit 14. The access management system 10 may be one or more computers and/or machines. As an example, at least one of components in the access management system 10 can be installed in a computer as a combination of one or a plurality of memories and one or a plurality of processors. For example, the computer(s) used as the access management system 10 may be a management server or a controller provided in or outside a target system subject to access control.
  The obtaining unit 12 obtains monitoring information and one or more access control policies. The monitoring information is generated by monitoring a target system subject to access control. Any method can be used to monitor the target system. For example, the access control policy can determine a user action (e.g. access to a resource) is allowed or denied and/or suggest one or more countermeasures against the user action in the target system.
  The monitoring information may relate to at least one of the parameters; a device state, resource state, user state, and network state. Specifically, the monitoring information include, but is not limited to, at least one of the following parameters;
- Security (e.g. Threat cause),
- Attack vectors,
- Business impact,
- Determining access path,
- Availability of PEP(s),
- Workload of PEP(s),
- Enforcement Cost,
- Mis-control Cost due to denial of access,
- Urgency of access,
- User Roles, and
- Resource status.
These parameters can change as time passes; therefore, the parameters can be called as dynamic parameters.
  The monitoring information and/or the one or more access control policies obtained by the obtaining unit 12 can be stored in or outside in the access management system 10. Further, monitoring the target system and generating the monitoring information can be performed by access management system 10 or another computer.
  The PEP selection unit 14 selects one or more PEPs of the target system to enforce the one or more access control policies based on the monitoring information. If the monitoring information changes as time passes, the PEP selection unit 14 can select PEP(s) different from before the time passes. Therefore, the PEP selection unit 14 can select PEP(s) dynamically.
<Flow Description>
  Next, referring to the flowchart in Fig. 2, an example of the operation of the present disclosure will be described. The detail of each processing in Fig. 2 is already explained above and its explanation is omitted as appropriate.
  First, the obtaining unit 12 obtains monitoring information and one or more access control policies (step S12). Next, the PEP selection unit 14 uses the monitoring information to select one or more PEPs of the target system to enforce the one or more access control policies (step S14).
  <Description of Effects>
  As the PEP selection unit 14 selects PEP(s) to enforce the one or more access control policies based on the monitoring information, the PEP selection unit 14 can select necessary PEP(s) according to the change of situation, while not selecting unnecessary PEP(s) according to the change of situation. Therefore, the access management system 10 can maintain security and system efficiency under changing circumstances.
  (Second Example Embodiment)
  A second example embodiment of this disclosure will be described below referring to the accompanied drawings. This second example embodiment explains one of the specific examples of the first example embodiment, however, specific examples of the first example embodiment are not limited to this example embodiment.
  <Background Description>
  In terms of increasing security of a target system, distribution of access control functions (access control policies) at multiple PEPs is promising. However, choosing arbitrary PEPs for restricting a certain access request without careful consideration can result in inefficient performance of a deployed access control system. For example, choosing an already overburdened PEP with more access rules to enforce will result in increased workload. Similarly, deploying all the access rules on an application firewall without using any rules at a network firewall may cause Distributed Denial of Service (DDOS) attacks to pass through the network access control. This would reflect in incurring losses as a result of high cost of deployment in edge or cloud, losses due to poor customer satisfaction, inefficiencies in the working environment and so on.
  On the other hand, enforcing access control on a network level enforcing point (such as a router, a Layer-3 switch) or an identity-based access control point (such as Active Directory) which controls access to large number of resources or users on a single rule, may result in mis-control due to denial of access to other resources, if the access to one sensitive resource is denied for a particular IP address or a particular user. This may reflect in losses in business due to denial of resources at mission-critical services or denial of essential resource access, etc.
  Moreover, the distribution of access control functions at different PEPs can greatly benefit by automation of the distribution process. It reduces the risk of human errors, deployment of conflicting rules, and provides a more suitable PEP choice by monitoring the status of assets, logging the access requests and analyzing the deployed rules on the PEPs.
  Moreover, without automating distribution of access control functions at different PEPs, the access control can become inefficient and prone to human errors and conflicting rules.
  Moreover, without consideration of any metric to determine any optimal, or a suitable choice of policy enforcement point for a given access request, the access control can become inefficient in terms of enforcement cost, latency in access, workload and denial of essential service, etc.
  Moreover, the best choice of access control PEP(s) depends on analyzing several dynamic factors which balance the trade-offs among goal advantages. The goal advantages include, but not limited to, preserving security, reducing workload and/or enforcement cost and minimizing the mis-control due to denial of access. Such factors vary dynamically according to the change in environment. Therefore, a particular choice of PEP(s) suitable at one instance may not necessarily be suitable at another instance even while controlling access in the same application, to same resource from the same device. Therefore, analyzing such dynamic factors results in choosing the most desirable PEP(s) among the pool of capable PEP(s). It is required to dynamically evaluate such a desirability to determine the suitable PEP(s) so as to balance the trade-offs, and to apply policy rules suitable for the determined PEP(s).
  In view of the above problems, one object of the present disclosure is to provide an access control system, access control method, and access control program that contribute to balance the above-mentioned trade-offs by choosing the most desirable PEP(s).
  <Configuration Description>
  Fig. 3 is an example of a block diagram of an access control system. As shown in Fig. 3, the access control system 100 includes a monitoring unit 101, a policy database 102, a mapping module 110, a PEP selection module 120, and a rule generator 130. Hereinafter, an outline of the processing of each part will be described.
  The monitoring unit 101 monitors a target system subject to access control. The target system stores a Resource R to be accessed and includes PEPs controlling access to resources such as the Resource R. The PEPs may enforce access control at different layers according to the Open Systems Interconnection (OSI) model.
  For example, one PEP may enforce network layer access control while the other PEP may enforce application layer access control. In another example, two PEPs may enforce access control at the same layer but at different access granularities. For instance, one PEP enforces application layer access control per User-granularity while the other PEP enforces application layer access control per Resource-granularity. In yet another example, two PEPs enforce access control at the same layer and at the same granularity but their physical locations or logical placements are different. For instance, one PEP enforces access control at the network interface (such as firewall), while the other PEP enforces access control at the operating system interface (such as containers). For another instance, one PEP enforces application layer access control at the client side (such as web browser), while the other PEP enforces application layer access control at the server side (such as firewall).
  The monitoring unit 101 generates monitoring information I by the monitoring and outputs the monitoring information I to the mapping module 110 and the PEP selection module 120. The detail of the monitoring information is already explained in the first example embodiment and omitted here. For example, in Fig. 3, the monitoring unit 101 monitors a suspicious login attempt in which a user A accesses the Resource R and generates the monitoring information I indicating an access request in which the user A is accesses the Resource R. The monitoring information I can vary dynamically.
  The policy database 102 stores a plurality of access control policies (Hereinafter also referred to simply as policy). As shown above, the policy determines user actions are allowed or denied in the target system. The policy database 102 has its input as the monitoring information I, analyzes the monitoring information I and selects one or more of the policies P considered appropriate for the situation indicated by the monitoring information I. Hereinafter, one or more of the policies P will be collectively referred to as the policy P. The policy database 102 outputs the policy P to the mapping module 110. The policy P can vary dynamically with the monitoring information I.
  The mapping module 110 has its input as the monitoring information I and the policy P from the policy database. Further, the mapping module 110 has its input as a pool of PEPs where any policy is applicable. The pool of PEPs may be stored in a memory (not shown in Fig. 3). The mapping module 110 analyzes the monitoring information I and the policy P, and then selects, from the pool of PEPs, a list of capable PEPs (namely, candidate PEPs) on which the given policy P can be applied and output the list of capable PEPs. As with the policy P, the list of capable PEPs can vary with the monitoring information I.
  In this example, the mapping module 110 can determine whether PEPs of the target system can accommodate (i.e., withstand) the one or more policies. Then, the mapping module 110 selects the capable PEPs which can accommodate more rules in addition to the already employed rules without getting overburdened, or selects the capable PEPs which may satisfy conditions of proximity to the subject or resource in question.
  Further, the mapping module 110 can keep track of the capable PEPs by establishing a series of connection to the remote capable PEPs. The mapping module 110 can use a SYN-ACK handshake method, however, the method is not limited to this.
  The PEP selection module 120 includes a score calculation unit 121 and a PEP selection unit 122. The score calculation unit 121 calculates a desirability score for each PEP from the list of capable PEPs output by mapping module 110 by analyzing several dynamic factors F. The several dynamic factors F includes, but not limited to, security coverage, enforcement cost, mis-control due to access denial, threat cause, urgency level, access granularity, workload of PEPs among others, and so on. For example, a security professional manually provides a list of dynamic factors F to the PEP selection module 120. The desirability score is one example of evaluation and a measure of how desirable it is to enforce access control on the PEP for a given user's action (e.g., access request).
  The score calculation unit 121 may rank the PEPs in the decreasing order of their desirability scores when the desirability scores are numerical. The numerical score may be, but not limited to, a score in the range 0 to 1, where 1 is the most desirable and 0 is the least desirable. Alternatively, the score calculation unit 121 may group the desirability scores together according to their assigned category to calculate the objective desirability score when the desirability scores are categorical scores. The categorical score may be, but not limited to, an element in the set {Minimum, Low, Mediate, High, Maximum}, where "Maximum" is the most desirable and Minimum is the least desirable. In other words, the desirability score may be expressed as either quantitative or qualitative information.
  The PEP selection unit 122 ranks the desirability score calculated by the score calculation unit 121 and selects one or more of the PEPs. Hereinafter, one or more of the PEPs will be collectively referred to as the PEP. The PEP selection unit 122 may select the PEP with the highest desirability score as one or more optimal enforcement points for access control corresponding to a given access request. However, the selection method performed by the PEP selection unit 122 is not limited to this. For example, the PEP selection unit 122 may select the PEP with desirability scores above a predetermined threshold. Alternatively, among all the PEP of the list of capable PEPs, the PEP selection unit 122 may select the PEP whose scores are higher than a predetermined ranking.
  The rule generator 130 takes the policy P selected by the PEP selection unit 122 for access control and creates one or more of specific access rules to be applied by the PEPs. Hereinafter, one or more of specific access rules will be collectively referred to as the specific access rule. During this process, the rule generator 130 may convert the format of the policy P into one enforceable at the PEPs selected by the PEP selection unit 122 to generate the specific access rule.
  The rule generator 130 also contains a module to transfer the specific access rule to the PEP selected by the PEP selection unit 122. The specific access rule can be transferred remotely by a central controller, such as an SDN controller. Alternatively, the transfer can be performed in a distributed manner. In such a distributed arrangement, rule generators constituting the rule generator 130 are distributed and placed on each PEP. The policy P is transferred remotely to these distributed rule generators and converted into the specific access rules which can be applied by each PEP.
  The outline of the functions of the access control system 100 is explained again. The monitoring information I and the Policy P are first analyzed by the mapping module 110 to create the list of capable PEPs on which the policy P can be enforced. Then, the desirability score is calculated and tabulated corresponding to each PEP by the score calculation unit 121 inside PEP selection module 120. The score calculation unit 121 may consider several parameters to calculate the desirability score, while the several parameters reflect the requirements from the access control system 100. The PEP selection unit 122 then selects one or more PEPs which are top ranked in the desirability table. The one or more PEPs are regarded as the most optimal PEP(s) for policy enforcement. The rule generator 130 creates enforceable rules from the policy P to be enforced at the selected PEP(s).
  Then, the details of the processing above (for example, the information used for the processing) will be described. The policy P includes access decisions corresponding to the access request indicated in the monitoring information I. For example, the access request in its simplest form contains identifiers of the subject requesting the access, identifiers of the resource requested by the subject, identifiers of the resource to which the access control should be performed, identifiers of the operation requested by the subject on the resource and/or timestamp of access.
  The monitoring information I may contain additional information about the subject and/or resource as well as the network. The monitoring information I may further contain several contextual information regarding the access. The following are examples of information included in the monitoring information I:
(1) Dynamically monitored information about a subject related to current authentication such as proof of authentication, type of authentication performed, timestamp of authentication, device on which the authentication is performed, time elapsed since the last authentication and/or any other information based on which the current authentication profile can be built;
(2) Dynamically monitored information about a subject related to history of authentication such as frequency of authentication, types of authentications performed before, anomaly between the current and previously performed authentication and/or any other information based on which the historical authentication profile can be built;
(3) Dynamically monitored information about a subject related to authorization of a user such as a user department, user job level, user role, user authorization token, user subscription, and/or any other information based on which the authorization profile of the user can be built;
(4) Dynamically monitored information about a subject related to authorization of a device such as serial number of a managed device, authorization token or software installed in the device, and/or any other information based on which the authorization profile of the device can be built;
(5) Dynamically monitored information about a subject related to the security state of a device such as device Operating System (OS) information, time elapsed since the last OS update, anti-virus software installed or not and its version, information about the software or apps installed in the devices, version of software required for connection such as Secure Shell (SSH) client, VPN (Virtual Private Network) client and/or any other information based on which the security state profile of the device can be built;
(6) Dynamically monitored information about a subject related to user behavior such as type of resource requested, confidentiality state of the resource, anomaly detected between previous access, contextual information such as location of access, time of access and/or any other information based on which the behavior profile of the user can be built;
(7) Dynamically monitored information about a subject related to urgency of access such as access to an essential resource, estimation of loss due to denial, and/or any other information based on which the urgency of the access can be determined;
(8) Any other Dynamically monitored information about a subject based on which the current profile about the subject can be built;
(9) Dynamically monitored information about a resource related to protected state of the resource such as confidentiality level, security state such as host OS name and version, anti-virus software installed or not and its version, information about the software or apps installed in the host, whether proper isolation of the resource is performed, version of software required for connection to a SSH server or VPN-server, for example, resource hosting application information such as web server name and version, and/or any other information based on which the security profile of the resource can be built; and/or
(10) Dynamically monitored information about a network such as an agreed routing path, connection information such as a layer 2 protocol used, location and type of connection used (such as public or private Wi-Fi (R: registered trademark), etc.), bandwidth on the connected network, whether the payload is encrypted or not, and encryption protocols used at any/all layers of the payload, and/or any other information based on which the network security profile can be built.
  The access decisions in the Policy P may be comprised of Allow or Deny decisions corresponding to different attributes collected by the dynamically monitored information I. The following are examples of the Allow or Deny decisions included in the Policy P:
(1) Allow or Deny decisions from a user to a resource, based on whether security requirements of the resource are met by the user or not, for example, considering Authentication and/or Authorization;
(2) Allow or Deny decisions from a user to a resource, based on whether expected behavior requirements for access from the user to the resource are met or not;
(3) Allow or Deny decisions from a user, using a device, to a resource, based on whether security requirements of the resource are met by the user using the device;
(4) Allow or Deny decisions from a user, using a device, on a network, to a resource, based on whether security requirements of the resource are met by the user using the device on the network; and/or
(5) Allow or Deny decisions from a user to a resource based on balancing several factors of security, as well as potential loss incurred due to denial of access from the user to the resource based on the dynamic information collected including but not limited to access needs related attributes.
  The Policy P may also contain countermeasure steps to obtain the access permissions in case where a Deny decision is given for an access request based on the monitoring information I. The following are examples of the countermeasure steps:
(1) Countermeasure step related to change in authentication protocol, for example using multi-factor authentication, updating to a secure password and re-login, using passkeys, and/or any other change in authentication steps which may help in obtaining access permission from a user to a resource;
(2) Countermeasure steps related to a device, such as using another more secure device (for example, using a managed device), updating device OS, removing harmful software or apps, installing secure software or apps, updating secure software or apps, and/or any other steps performed on the device which may help in obtaining access permission from a user, using a device to a resource;
(3) Countermeasure steps related to a network, such as using secure routing protocol, secure routing path, connecting to a secure Layer 2 protocol such as a company-owned network, or a network with sufficient security, and/or any other steps related to a network which may help in obtaining access from a user, using a device, on a network, to a resource; and/or
(4) Countermeasure steps related to change in other contextual attributes, such as login at a different time or changing location and/or any other steps related to change in contextual attributes which may help in obtaining access from a user to a resource.
  The mapping module 110 obtains the list of all capable PEPs on which the access control rules can be enforced at the current time, i.e. the processing execution timing of the access control system 100. The list may contain different types of PEPs for multi-layer access control, for instance, but not limited to:
(1) File I/O access control;
(2) Container-level access control;
(3) Inter-Process Communication (IPC) level access control determining rules for inter-process communication;
(4) OS-level access control;
(5) Basic Input Output System (BIOS) level access control;
(6) Hardware-level access control determining who can perform sensitive operations such as updating firmware;
(7) Layer 2 access control such as OpenFlow;
(8) Network access control at Layer 3 such as packet filtering firewall;
(9) Transport layer access control such as stateful firewall;
(10) Application layer access control such as application firewall, deep-packet inspection; and/or
(11) Identity based access control such as Identity Access Management, Active Directory, etc.
  The mapping module 110 analyzes the Policy P and, from the capable PEPs, determines the PEPs which are capable to enforce such the Policy P. Then, the mapping module 110 outputs the determined capable PEPs as a list.
  For example, if the policy P is "deny access to sensitive resources from User U", then this policy can be applied by 1) each application firewall on the sensitive resources, 2) Identity access control PEPs such as active directory, 3) a network level PEP from which the user U requests access, and 4) layer 2 switches such as OpenFlow, among other PEPs. Note that, the access policy P may not be enforced by some PEPs such as File I/O, because they would allow intrusion inside resource servers before such an access control is performed. This may result in security breach.
  The score calculation unit 121 calculates the desirability score for all the capable PEPs selected by the mapping module 110. For this calculation, the score calculation unit 121 comparers several parameters related to for instance, but not limited to, security, enforcement cost, workload, and/or mis-control due to denial of access among others. The several parameters may reflect the requirements of business. The following are examples of the calculation performed by the score calculation unit 121:
(1) Calculating the desirability of the PEP for policy enforcement by considering the cost of mis-control due to denial of access. For instance, when the access is restricted at User access control level, such as Active Directory and other Identity Access Management based access control, enforcing User access control by the PEP restricts access to plurality of access from the user. This may result in denial of several access which may be essential for workflow continuity. Consideration of such mis-control cost may be necessary for desirability calculation;
(2) Calculating the desirability of the PEP for policy enforcement by considering threat cause. For instance, when the access policy denies an access to a resource based on the reason that the resource is confidential, the desirability of such a PEP which enforces access control based on a resource-level granularity will be higher. On the other hand, when the access policy denies an access to a resource based on the reason that the user is suspicious, the desirability of such a PEP which enforces access control based on user-level will be higher;
(3) Calculating the desirability of the PEP for policy enforcement by considering urgency of access. For instance, assume a situation in which the access policy denies an access request to a resource on account of a malicious activity being detected by the system, and on account of that it is necessary to enforce access control quickly. In such a scenario, the desirability of the PEP which can quickly update the access control rules and enforce new policies are higher. For example, user-based access control such as Active Directory often controls access using session tokens which have relatively longer expiry time compared to sessions in application-level access control such as resource firewall. Considering access control based on higher urgency of restricting access, the desirability of the resource firewall will be greater compared to the Active Directory;
(4) Calculating the desirability of the PEP for policy enforcement by considering the workload on the PEP during enforcement. The PEP which enforces a single policy with a greater number of rules are bound to have a higher workload compared to PEPs which enforce it with fewer rules. Having a higher workload increases the decision latency, and enforcement cost in terms of increased storage and computing power. Therefore, the PEP with lower workload will have relatively larger desirability; and/or
(5) Calculating the desirability of the PEP for policy enforcement by considering the denial coverage. For instance, a PEP which enforces a deny policy with a single rule and is able to cover multitude of deny cases may be preferred over another PEP which uses a greater number of rules to cover the same number of deny cases. This is partly due to workload requirements and partly due to better security achievements of the former one.
  The score calculation unit 121 assigns numerical scores to all the PEPs selected by the mapping module 110. The numerical scores may be assigned such that it is easier to rank the PEPs from the most desirable to the least desirable based on the assigned scores.
  Several techniques can be used to calculate the numerical score. In one of examples, the most easily achievable method is to calculate the desirability score as a weighted sum. In this example, the desirability score for each PEP is obtained by first calculating the scores of the PEP corresponding to each considered parameter for desirability calculation, then assigning a weight to each calculated value. The desirability score of the PEP as the result is then calculated as the weighted sum of the parameter score values. For example, the equation for the weighted sum is as follows. The desirability score for the PEPx is:
Figure JPOXMLDOC01-appb-I000001

where, D is the desirability score for the PEPx, i is the parameter(s) considered for the desirability calculation, wi is the weight given to the parameter i, and si is the score calculated for the parameter i for PEPx.
  Assignment of the weights is an essential step for calculating the desirability score. The assignment of the weights may differ in several example embodiments of the present disclosure. The assignment of the weights can be performed as in the following examples, but are not limited thereto.
(1) In one of the example embodiments of the present disclosure, the weights corresponding to each parameter in the calculation of the desirability score can be manually set by the security operator. Here the security operator compares the relative importance of each parameter over the other and assigns appropriate weights to each of them. The weights may be set dynamically, and any other parameter may be selected over the other depending on the situation. For instance, in case where a security incident is reported, the relative importance of security is higher over workload or mis-control cost. Such a consideration can be made by the security operator to assign appropriate weights.
(2) In another example embodiment of the present disclosure, methods such as Analytic Hierarchy Process (AHP) can be used to calculate the weights of the parameters. AHP utilizes the relative dominance among a pair of parameters. The relative dominance among a pair of parameters is set by the operator. Then the algorithm automatically computes the weights of the parameter.
(3) In yet another example embodiment of the present disclosure, methods to automatically compute the weights without the input of operator can be utilized such as algorithms which can automatically learn the weights for each parameter of the desirability calculation. For instance, machine learning and artificial intelligence is utilized to learn the parameter weights given enough training data from the logs of previous access control decisions or synthetically generated access control log data.
  The PEP selection unit 122 is responsible to finally select the PEP on which the final access control policy is enforced. It may perform the selection by ranking the PEPs in the decreasing order of their desirability scores. Then based on the desired security, it may select one or more of PEPs among the top or high ranked PEPs. The PEPs with low desirability scores are not suitable for enforcing access control, and vice versa.
  The number of PEPs selected by the PEP selection unit 122 depends on the desired security requirements of business. In case of multi-layer security, multiple PEPs may be selected for defense-in-depth. For instance, consider two PEPs are the top-ranked PEPs in the desirability calculation. One PEP performs User-granular access control, like Active Directory, and the other PEP performs access control at each resource level, like Application Firewall. Then, in one of the example embodiments, the PEP selection unit 122 may select both the PEPs for enforcing the access policy considering the viewpoint "if multi-layer defense access control is desired". In another example embodiment, only one of the PEP may be selected in case where the security is not much of a concern, but the cost of policy enforcement or latency is the concern.
  The rule generator 130 creates specific rules from the policy P by converting the policy P so the specific rules can be enforced at the PEP(s) selected by the PEP selection unit 122. As each PEP may have a specific format of enforceable rules based on access granularity or vendor specification, the converting process may be required.
  The rule generator 130 may contain several conversion modules to convert a given policy P into set of enforceable rules for each PEP. For instance, a policy "Deny access from device A hosted on IP 10.0.0.1 to Resource hosted on IP 11.0.0.1" can be converted to a firewall rule "(10.0.0.1, all, 11.0.0.1, all, Deny)" which can be enforced on the application firewall.
  To illustrate an example, a traditional access control system consisting of a Policy Decision Point (PDP) and several Policy Enforcement Points (PEP) is explained. The PEPs receive an access request from the subjects and redirect the access request to the PDP for querying the access decision. The PDP contains access policies, and it compares the access request with the access policies stored therein to decide whether the particular access can be allowed or denied.
  Fig. 4 is a schematic diagram for illustrating an example to be applied in the access control system 100. The system in Fig. 4 consists of a control plane, corresponding to the PDP above, and several PEPs. For instance, a Software Defined Network (SDN) controller in the control plane is responsible to decide which the PEP should be allowed to control the access for a given request. In the example of Fig.4, a PEP 1, "IP management", prevents spoofing and impersonation of a user, a PEP 2, "Device EDR", restricts malicious device(s) and prevents device spoofing, a PEP 3, "Network Firewall", restricts malicious device(s) and restricts malicious network activity, a PEP k+1, "Application Firewall", restricts unauthorized requests and prevents application layer attacks, and a PEP k+2, "Container Firewall", restricts unauthorized commands.
  In such a case, the access control system 100 can be fit inside the SDN (or PDP) controller which would dynamically send the policy in the form of enforceable rules on the selected PEP(s). Such a setting can be enforced in a centralized manner with the SDN controller located in the remote cloud while PEPs are scattered among multiple places. Alternatively, the setting can be enforced locally in an edge-cloud setting where some functionality of the access control system is located in the cloud. For example, PEP mapping function and desirability score calculation is located in the cloud, while the rest functions, such as a rule generator, are located at the edge.
  Note that the above example embodiments are mere examples, and the present disclosure is not limited to the above stated examples.
  Fig. 5 is a schematic diagram for illustrating balancing of mis-control and security using Active Directory and application firewall example to be applied in the access control system 100. In a target system shown in Fig. 5, the access control is not enforced on the Active Directory on account of suspicious user activity (user access to a confidential resource 1 and a normal and essential resource 2) detected by the system, because it will result in denial of not only confidential resource but also essential resource. This situation caused by the coarse-grained access control results in the increased mis-control cost, which is not desirable.
  Instead, by using the methods by the access control system 100, fine-grained access control is possible as shown below. The access control is enforced at resource firewall which only blocks access to the confidential resource from the user, while the access to the essential resource is allowed. In this example, the choice of application firewall over active directory is made by calculating the desirability score by the PEP selection module inside the controller as shown in Fig. 5. For example, the desirability score for an authenticator PEP (Active Directory) is 0.4, while the desirability score for the application firewall is 0.8. Therefore, by the PDP (or SDN) to which the access control system 100 is applied, the application firewall is selected which an appropriate Deny rule should be applied to. The appropriate Deny rule is enforced at the Application Firewall as the result. In the following example of Figs. 6 and 7, the same points as in Fig. 5 will be appropriately omitted.
  Fig. 6 is a schematic diagram for illustrating balancing of mis-control and security using Active Directory and application firewall example to be applied in the access control system 100. In a target system shown in Fig. 6, the access control is now enforced at the Active Directory because the malicious activity is being detected by the system and the evidence is too much to ignore. Hence, the desirability calculation function ranks Active Directory over application firewall to satisfy the security requirements even at the loss of mis-control. For example, the desirability score for an authenticator PEP (Active Directory) is 0.8, while the desirability score for the application firewall is 0.4. The ranking indicates that the loss due to security breach will be much harmful compared to the loss due to denial of essential service. An appropriate Deny rule is enforced at the Active Directory as the result.
  Further, a different situation will be considered for Fig. 6. Instead of considering the balancing of mis-control and security, threat cause will be considered. If the cause of the denial of access is determined to be "multiple failed authentications", the trust of the user who wants to access the resources gets drastically reduced. For such a case, by considering the threat cause, the access control system 100 can calculate the desirability of each PEP and determine the User access control in the form of Active Directory to be the most suitable PEP for enforcing the deny policy. An appropriate Deny rule is enforced at the Active Directory as the result.
  Further, a different situation will be considered for Fig. 5. Instead of considering the balancing of mis-control and security, threat cause will be considered. If the cause of the denial of access is determined to be "high confidentiality of resource", the security of the confidential resource over its untrusted access gets prioritized. For such a case, by considering the threat cause, the access control system 100 calculates the desirability of each PEP and determines the resource access control in the form of Application Firewall to be the most suitable PEP for enforcing the deny policy. An appropriate Deny rule is enforced at the Application Firewall as the result.
  Fig. 7 is a schematic diagram for illustrating high urgency example to be applied in the access control system 100. In a target system shown in Fig. 7, there are three different PEPs which are capable to enforce the Deny policy, namely Active Directory enforcing user level access control, application firewall enforcing resource level access control and Layer-3 gateway device enforcing Network level access control. It is a fairly common knowledge that network access control would be the quickest way to restrict access in case of urgency - the network access control restricts any access from the malicious user or device. As the urgency is high in this scenario, the access control system 100 selects the Layer-3 gateway device to enforce the access control as the PEP selection module in the PDP will select the Layer-3 gateway with highest desirability. For example, the desirability score for an authenticator PEP (Active Directory) is 0.4, the desirability score for the application firewall is 0.5, while the desirability score for the Layer-3 gateway is 0.8. The ranking indicates that the high urgency situation is happening. In this way, an appropriate Deny rule is enforced at the Layer-3 gateway device as the result.
  Further, a different situation will be considered for Fig. 7. Instead of considering the high urgency example, a low urgency example will be considered. In this example, the malicious activity is detected from the user or device; however, the urgency is low. In such scenario, the PEP selection module in the PDP will not select the Layer-3 gateway device to enforce access control, because it will also restrict the access to the destination network from all the devices on the source network. This restriction reduces the availability of services to other users or access subjects.
  Instead, the desirability of the Active Directory enforcing user level access control will be higher as it will restrict all access from the malicious user. However, the access revocation might be slow as the user can still access some of the resources on the destination network using previously received session tokens. However, as the urgency is low, this solution may come out to be the most optimal one. For example, the desirability score for an authenticator PEP (Active Directory) is 0.8, the desirability score for the application firewall is 0.5, while the desirability score for the Layer-3 gateway is 0.4. The ranking indicates that selecting the Active Directory is suitable. In this way, an appropriate Deny rule is enforced at the Active Directory as the result.
<Flow Description>
  Next, referring to the flowcharts in Fig. 8, examples of the operation of the present disclosure will be described with taking into account a specific situation. Throughout the processes, dynamic selection of a policy enforcement point is performed. The detail of each processing in Fig. 8 is already explained above and its explanation is omitted as appropriate.
  First, the monitoring unit 101 generates monitoring information I by monitoring a target system (step S22). In this example, the monitoring unit 101 monitors a suspicious activity by a user A, specifically, the monitoring unit 101 detects that the user A is accessing an unauthorized resource R in a target system. Then, the monitoring unit 101generates and outputs the monitoring information I indicating an access request in which the user is accesses the unauthorized resource R.
  The policy database 102 analyzes the monitoring information I and selects the policy P considered appropriate for the situation described by the monitoring information I (step S24). In this example, the policy P selected by the policy database 102 is "Deny access from user A to Resource R" as an appropriate response towards the access. The policy database 102 outputs the policy P to the mapping module 110.
  The mapping module 110 analyzes the policy P and the user activity indicated by the monitoring information I, and then generates and outputs a list of capable PEPs on which the given policy P can be applied as a result of the analysis (step S26). In this example, the list of capable PEPs indicates: authenticator (i.e. Active Directory, enforcing user-granular access control), Layer-2 switch (enforcing device granular access control), Layer-3 switch (enforcing network access control with IP address-based rules) and application firewall (enforcing resource-granular access control) which are capable to enforce the policy P.
  Next, the score calculation unit 121 calculates a desirability score for each PEP from the list of capable PEPs and generates a table of the calculated desirability scores (step S28). In this example, to calculate the desirability score for the PEPs, the score calculation unit 121 analyzes the following several parameters as several dynamic factors F: mis-control due to access denial, threat cause, urgency level, access granularity, security coverage, and workload of PEPs among others.
  After that, the PEP selection unit 122 ranks the desirability score in the order of their desirability scores and selects the top ranked PEP(s) in the desirability score table (step S30). The PEP selection unit 122 determines the one or more of top ranked PEPs as the most desirable access control enforcement point(s) and the subjects of enforcement the given policy P. For example, if the score of the Active Directory is 0.8, the score of the Layer-2 switch is 0.6, the score of the Layer-3 switch is 0.6 and the score of the application firewall switch is 0.4, the PEP selection unit 122 selects the Active Directory as the top ranked PEP.
  Finally, the rule generator 130 convers the policy P to generate enforceable rules (specific access rules) to each selected PEP(s) for enforcing access control (step S32). For example, the rule generator 130 generates the enforceable rules indicating that the access by the user A should be blocked for one day, such as {"userToBlock": "user A" "set blockDuration: 1 day" "Disable-AD account"}. The rule generator 130 distributes the enforceable rules to the selected PEP(s) for desired access control enforcement. Then, the rule generator 130 outputs the enforceable rules to the selected PEP(s).
  <Description of Effects>
  In the same manner as the reasons described in the first example embodiment, the access control system 100 can maintain security and system efficiency under changing circumstances. Specifically, the access control system 100 can contribute to balance the trade-offs above-mentioned by choosing the most desirable PEP(s).
  In addition, the mapping module 110 can select one or more PEPs using the monitoring information I and the policy P. Therefore, the access control system 100 can select the PEPs to enforce the policy more correctly.
  In addition, the score calculation unit 121 can calculate evaluation for each PEP candidate and selects the one or more PEPs from the PEP candidates based on the evaluation. Therefore, by using the evaluation, the access control system 100 can select the PEPs to enforce the policy more correctly.
  Furthermore, the score calculation unit 121 can calculate the evaluation for each PEP candidate by weighting differently depending on a plurality of factors. Therefore, by refining the calculation, the access control system 100 can select the PEPs to enforce the policy more correctly.
  Furthermore, the score calculation unit 121 can calculate the evaluation so that the evaluation changes as the monitoring information changes. Therefore, by reflecting dynamically changing information, the access control system 100 can allow for situation-based selection.
  Furthermore, the mapping module 110 can select the PEP candidates from PEPs of the target system, wherein the PEP candidates differ in at least one of belonging layers, access granularities, or locations. Therefore, as the access control system 100 can select the PEPs in different belongings, the access control system 100 can ensure security.
  Furthermore, the mapping module 110 can determine whether PEPs of the target system can accommodate the policy P and select a plurality of PEPs, from PEPs of the target system, as the PEP candidates that can accommodate the policy P. Therefore, it is possible to suppress the state in which the PEP cannot enforce the policy P and to ensure that security is effective.
  Furthermore, the mapping module 110 can select the PEP candidates from PEPs of the target system by establishing a series of connection to remote PEPs of the target system. Therefore, the access control system 100 can make the remote PEPs to enforce the policy P and ensure security.
  In addition, the rule generator 130 can convert the policy P to one or more rules conforming to the one or more PEPs selected by the PEP selection unit 122. Therefore, it is possible to ensure that the policy P is enforced in the selected PEP(s) and to ensure that security is effective.
  Next, a configuration example of the access management system 10 and/or the access control system 100 is explained hereinafter with reference to Fig. 9.
  Fig. 9 is a drawing illustrating an example of the hardware configuration of a computer system applicable to the access management system 10 and/or the access control system 100. The computer system may include an information processing apparatus (computer) 200 having the hardware configuration shown in Fig. 9. It should be noted that the hardware configuration shown in Fig. 9 is merely an example of the hardware configuration realizing the function of the access management system 10 and/or the access control system 100 and is not intended to limit the hardware configuration of the computer system. The computer system may include hardware not shown in Fig. 9.
  As shown in Fig 9, the computer 200 includes a Central Processing Unit (CPU) 210, a primary storage device 220, an auxiliary storage device 230, and a Network Interface Card (NIC) 240, which is a communication interface. However, the type of the communication interface is not limited to this. These elements are connected to each other by, for instance, an internal bus.
  The CPU 210 executes a program (program instructions) stored in the primary storage device 220 to execute the program to realize the functions and processes of the access management system 10 and/or the access control system 100. Furthermore, the CPU 210 may receive commands from the NIC and executes the program in accordance with the commands.
  The CPU 210 is one example of a processor. Instead of the CPU, for example, a microprocessor or an MPU (Micro Processing Unit) can be used. Further, the computer 200 may include a plurality of processors. In this case, each of the processors executes one or a plurality of programs including a group of instructions to cause a computer to perform an algorithm explained above with reference to the drawings.
  The primary storage device 220 temporarily stores the program executed by the computer 200 so that the CPU 210 can process it. The primary storage device 220 includes, for example, a semiconductor memory (for example, Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable and Programmable ROM (EEPROM), and/or a storage device including at least one of Hard Disk Drive (HDD), SSD (Solid State Drive), Compact Disc (CD), Digital Versatile Disc (DVD) and so forth. From another point of view, the primary storage device 220 is formed by a volatile memory and/or a nonvolatile memory. The primary storage device 220 may include a storage disposed apart from the CPU 210. In this case, the CPU 210 may access the primary storage device 220 through the NIC.
  The auxiliary storage device 230 is, for instance, a Hard Disk Drive (HDD) and may store the program therein for a long term. The program may be provided as a computer program stored in a non-transitory computer-readable storage medium. When in use, the program is transmitted from the auxiliary storage device 230 to the primary storage device 220.
  The NIC 240 provides an interface to an external terminal via a network. The NIC 240 is used to receive or to transmit traffic communications.
  Further, the program stored in the primary storage device 220 and/or the auxiliary storage device 230 includes program instructions (program modules) for executing processing of each unit of the access management system 10 and/or the access control system 100 in the above-described plurality of example embodiments. The program may include instructions (or software codes) that, when loaded into a computer, cause the computer to perform one or more of the functions described in the example embodiments. The program may be stored in a non-transitory computer readable medium or a tangible storage medium. By way of example, and not limitation, non-transitory computer readable media or tangible storage media can include a RAM, a ROM, a flash memory, a SSD or other memory technologies, compact disk-read only memory (CD-ROM), compact disk-read/write (CD-R/W), digital versatile disk (DVD), Blu-ray disc ((R): Registered trademark) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices. The program may be transmitted on a transitory computer readable medium or a communication medium. By way of example, and not limitation, transitory computer readable media or communication media can include electrical, optical, acoustical, or other form of propagated signals.
  In some example embodiments, implementation of the access management system 10 and/or the access control system 100 can be done not only in one computer system but also in a plurality of computer systems. For example, one computer system can send/receive data needed for operations processed in the access management system 10 and/or the access control system 100 to/from another computer system to achieve the operations.
  The whole or part of the example embodiments disclosed above can be described as, but not limited to, the following supplementary notes.
  (Supplementary Note 1)
  An access management system comprising:
  an obtaining means for obtaining monitoring information and one or more access control policies, wherein the monitoring information is generated by monitoring a target system subject to access control; and
  a Policy Enforcement Point (PEP) selection means for selecting one or more PEPs of the target system to enforce the one or more access control policies based on the monitoring information.
  (Supplementary Note 2)
  The access management system according to Supplementary Note 1, wherein
   the PEP selection means selects the one or more PEPs using the monitoring information and the one or more access control policies.
   (Supplementary Note 3)
  The access management system according to Supplementary Note 2, wherein
  the PEP selection means calculates evaluation for each PEP candidate and selects the one or more PEPs from the PEP candidates based on the evaluation.
   (Supplementary Note 4)
  The access management system according to Supplementary Note 3, wherein
  the PEP selection means calculates the evaluation for each PEP candidate by weighting differently depending on a plurality of factors.
   (Supplementary Note 5)
  The access management system according to Supplementary Note 3 or 4, wherein
  the PEP selection means calculates the evaluation so that the evaluation changes as the monitoring information changes.
   (Supplementary Note 6)
  The access management system according to any one of Supplementary Notes 3 to 5, wherein further comprising:
  a PEP candidate selection means for selecting the PEP candidates from PEPs of the target system, wherein the PEP candidates differ in at least one of belonging layers, access granularities, or locations.
   (Supplementary Note 7)
  The access management system according to any one of Supplementary Notes 3 to 5, wherein further comprising:
  a PEP candidate selection means for determining whether PEPs of the target system can accommodate the one or more policies and selecting a plurality of PEPs, from PEPs of the target system, as the PEP candidates that can accommodate the one or more policies.
   (Supplementary Note 8)
  The access management system according to any one of Supplementary Notes 3 to 5, wherein further comprising:
  a PEP candidate selection means for selecting the PEP candidates from PEPs of the target system by establishing a series of connection to remote PEPs of the target system.
   (Supplementary Note 9)
  The access management system according to any one of Supplementary Notes 1 to 8, wherein further comprising:
  a conversion means for converting the one or more access control policies to one or more rules conforming to the one or more PEPs selected by the PEP selection means.
   (Supplementary Note 10)
  An access management method performed by a computer comprising:
  obtaining monitoring information and one or more access control policies, wherein the monitoring information is generated by monitoring a target system subject to access control; and
  selecting one or more Policy Enforcement Point (PEP)s of the target system to enforce the one or more access control policies based on the monitoring information.
   (Supplementary Note 11)
  The access management method according to Supplementary Note 10, wherein further comprising:
  selecting the one or more PEPs using the monitoring information and the one or more access control policies.
   (Supplementary Note 12)
  The access management method according to Supplementary Note 11, wherein further comprising:
  calculating evaluation for each PEP candidate and selects the one or more PEPs from the PEP candidates based on the evaluation.
  (Supplementary Note 13)  
  The access management method according to Supplementary Note 12, wherein further comprising:
  calculating the evaluation for each PEP candidate by weighting differently depending on a plurality of factors.
  (Supplementary Note 14)  
  The access management method according to Supplementary Note 12 or 13, wherein further comprising:
  calculating the evaluation so that the evaluation changes as the monitoring information changes.
   (Supplementary Note 15)  
  The access management method according to any one of Supplementary Notes 12 to 14, wherein further comprising:
  selecting the PEP candidates from PEPs of the target system, wherein the PEP candidates differ in at least one of belonging layers, access granularities, or locations.
   (Supplementary Note 16)  
  The access management method according to any one of Supplementary Notes 12 to 14, wherein further comprising:
  determining whether PEPs of the target system can accommodate the one or more policies and selecting a plurality of PEPs, from PEPs of the target system, as the PEP candidates that can accommodate the one or more policies.
   (Supplementary Note 17)  
  The access management method according to any one of Supplementary Notes 12 to 14, wherein further comprising:
  selecting the PEP candidates from PEPs of the target system by establishing a series of connection to remote PEPs of the target system.
   (Supplementary Note 18)  
  The access management method according to any one of Supplementary Notes 10 to 17, wherein further comprising:
  converting the one or more access control policies to one or more rules conforming to the one or more PEPs.
   (Supplementary Note 19)  
  A program for causing a computer to execute:
  obtaining monitoring information and one or more access control policies, wherein the monitoring information is generated by monitoring a target system subject to access control; and
  selecting one or more Policy Enforcement Point (PEP)s of the target system to enforce the one or more access control policies based on the monitoring information.
   (Supplementary Note 20)  
  The program according to Supplementary Note 19, wherein the computer further executes:
  selecting the one or more PEPs using the monitoring information and the one or more access control policies.
  Some or all of elements (e.g., structures and functions) specified in Supplementary Notes 3 to 9 dependent on Supplementary Note 1 may also be dependent on Supplementary Note 19 in dependency similar to that of Supplementary Notes 3 to 9 on Supplementary Note 1. Some or all of elements specified in any of Supplementary Notes may be applied to various types of hardware, software, and recording means for recording software, systems, and methods.
  While each example embodiment of the present disclosure has been described, it is to be noted that it is possible to modify or adjust the example embodiments or examples within the whole disclosure of the present disclosure (including the Claims) and based on the basic technical concept thereof. Further, it is possible to variously combine or select (or at least partially remove) a wide variety of the disclosed elements (including the individual elements of the individual claims, the individual elements of the individual example embodiments or examples, and the individual elements of the individual figures) within the scope of the whole disclosure of the present disclosure. That is, it is self-explanatory that the present disclosure includes any types of variations and modifications to be done by a skilled person according to the whole disclosure including the Claims and the technical concept of the present disclosure. Particularly, any numerical ranges disclosed herein should be interpreted that any intermediate values or subranges falling within the disclosed ranges are also concretely disclosed even without specific recital thereof. Each example embodiment can be appropriately combined with at least one of example embodiments. Further, the disclosure of Patent Literature cited above is incorporated herein in its entirety by reference thereto.
10  access management system
12  obtaining unit
14  PEP selection unit
100  access control system
101  monitoring unit
102  policy database
110  mapping module
120  PEP selection module
121  score calculation unit
122  PEP selection unit
130  rule generator
200  computer
210  CPU
220  primary storage device
230  auxiliary storage device
240  NIC

Claims (20)

  1.   An access management system comprising:
      an obtaining means for obtaining monitoring information and one or more access control policies, wherein the monitoring information is generated by monitoring a target system subject to access control; and
      a Policy Enforcement Point (PEP) selection means for selecting one or more PEPs of the target system to enforce the one or more access control policies based on the monitoring information.
  2.   The access management system according to claim 1, wherein
      the PEP selection means selects the one or more PEPs using the monitoring information and the one or more access control policies.
  3.   The access management system according to claim 2, wherein
      the PEP selection means calculates evaluation for each PEP candidate and selects the one or more PEPs from the PEP candidates based on the evaluation.
  4.   The access management system according to claim 3, wherein
      the PEP selection means calculates the evaluation for each PEP candidate by weighting differently depending on a plurality of factors.
  5.   The access management system according to claim 3 or 4, wherein
      the PEP selection means calculates the evaluation so that the evaluation changes as the monitoring information changes.
  6.   The access management system according to any one of claims 3 to 5, wherein further comprising:
      a PEP candidate selection means for selecting the PEP candidates from PEPs of the target system, wherein the PEP candidates differ in at least one of belonging layers, access granularities, or locations.
  7.   The access management system according to any one of claims 3 to 5, wherein further comprising:
      a PEP candidate selection means for determining whether PEPs of the target system can accommodate the one or more policies and selecting a plurality of PEPs, from PEPs of the target system, as the PEP candidates that can accommodate the one or more policies.
  8.   The access management system according to any one of claims 3 to 5, wherein further comprising:
      a PEP candidate selection means for selecting the PEP candidates from PEPs of the target system by establishing a series of connection to remote PEPs of the target system.
  9.   The access management system according to any one of claims 1 to 8, wherein further comprising:
      a conversion means for converting the one or more access control policies to one or more rules conforming to the one or more PEPs selected by the PEP selection means.
  10.   An access management method performed by a computer comprising:
      obtaining monitoring information and one or more access control policies, wherein the monitoring information is generated by monitoring a target system subject to access control; and
      selecting one or more Policy Enforcement Point (PEP)s of the target system to enforce the one or more access control policies based on the monitoring information.
  11.   The access management method according to claim 10, wherein further comprising:
      selecting the one or more PEPs using the monitoring information and the one or more access control policies.
  12.   The access management method according to claim 11, wherein further comprising:
      calculating evaluation for each PEP candidate and selects the one or more PEPs from the PEP candidates based on the evaluation.
  13.   The access management method according to claim 12, wherein further comprising:
      calculating the evaluation for each PEP candidate by weighting differently depending on a plurality of factors.
  14.   The access management method according to claim 12 or 13, wherein further comprising:
      calculating the evaluation so that the evaluation changes as the monitoring information changes.
  15.   The access management method according to any one of claims 12 to 14, wherein further comprising:
      selecting the PEP candidates from PEPs of the target system, wherein the PEP candidates differ in at least one of belonging layers, access granularities, or locations.
  16.   The access management method according to any one of claims 12 to 14, wherein further comprising:
      determining whether PEPs of the target system can accommodate the one or more policies and selecting a plurality of PEPs, from PEPs of the target system, as the PEP candidates that can accommodate the one or more policies.
  17.   The access management method according to any one of claims 12 to 14, wherein further comprising:
      selecting the PEP candidates from PEPs of the target system by establishing a series of connection to remote PEPs of the target system.
  18.   The access management method according to any one of claims 10 to 17, wherein further comprising:
      converting the one or more access control policies to one or more rules conforming to the one or more PEPs.
  19.   A program for causing a computer to execute:
      obtaining monitoring information and one or more access control policies, wherein the monitoring information is generated by monitoring a target system subject to access control; and
      selecting one or more Policy Enforcement Point (PEP)s of the target system to enforce the one or more access control policies based on the monitoring information.
  20.   The program according to claim 19, wherein the computer further executes:
      selecting the one or more PEPs using the monitoring information and the one or more access control policies.
PCT/JP2023/045362 2023-12-18 2023-12-18 Access management system, access management method and program Pending WO2025134208A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2023/045362 WO2025134208A1 (en) 2023-12-18 2023-12-18 Access management system, access management method and program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2023/045362 WO2025134208A1 (en) 2023-12-18 2023-12-18 Access management system, access management method and program

Publications (1)

Publication Number Publication Date
WO2025134208A1 true WO2025134208A1 (en) 2025-06-26

Family

ID=96137288

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2023/045362 Pending WO2025134208A1 (en) 2023-12-18 2023-12-18 Access management system, access management method and program

Country Status (1)

Country Link
WO (1) WO2025134208A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070192500A1 (en) * 2006-02-16 2007-08-16 Infoexpress, Inc. Network access control including dynamic policy enforcement point
WO2008009029A2 (en) * 2006-07-14 2008-01-17 Qualcomm Incorporated Methods and apparatus for policy enforcement in a wireless communication system
US20110040825A1 (en) * 2009-08-13 2011-02-17 Zulfikar Ramzan Using Confidence About User Intent In A Reputation System
JP2013065081A (en) * 2011-09-15 2013-04-11 Fujitsu Ltd Device management method, device management apparatus, and device management program
WO2017220132A1 (en) * 2016-06-21 2017-12-28 Nec Europe Ltd. Sdn-based mobile communication system and method for operating such system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070192500A1 (en) * 2006-02-16 2007-08-16 Infoexpress, Inc. Network access control including dynamic policy enforcement point
WO2008009029A2 (en) * 2006-07-14 2008-01-17 Qualcomm Incorporated Methods and apparatus for policy enforcement in a wireless communication system
US20110040825A1 (en) * 2009-08-13 2011-02-17 Zulfikar Ramzan Using Confidence About User Intent In A Reputation System
JP2013065081A (en) * 2011-09-15 2013-04-11 Fujitsu Ltd Device management method, device management apparatus, and device management program
WO2017220132A1 (en) * 2016-06-21 2017-12-28 Nec Europe Ltd. Sdn-based mobile communication system and method for operating such system

Similar Documents

Publication Publication Date Title
Eliyan et al. DoS and DDoS attacks in Software Defined Networks: A survey of existing solutions and research challenges
EP4222920B1 (en) Dynamic optimization of client application access via a secure access service edge (sase) network optimization controller (noc)
Jimenez et al. A survey of the main security issues and solutions for the SDN architecture
US10728217B2 (en) Assessing risk associated with firewall rules
Bul’ajoul et al. A new architecture for network intrusion detection and prevention
US11405404B2 (en) Dynamic privilege allocation based on cognitive multiple-factor evaluation
Abdulqadder et al. SecSDN-cloud: defeating vulnerable attacks through secure software-defined networks
US10715496B2 (en) Client network access provision by a network traffic manager
US20240064147A1 (en) Granular secure user access to private resources
CN117938962B (en) Network request scheduling method, device, equipment and medium for CDN
Tudosi et al. Secure network architecture based on distributed firewalls
US20240372880A1 (en) Monitoring and control of network traffic in a cloud server environment
EP4573466A1 (en) Intelligent secure user access to private resources
CN119135375B (en) A data access method and device based on software-defined boundaries
Oktivasari et al. Analysis of effectiveness of iptables on web server from slowloris attack
US11625491B1 (en) Managing network traffic with sensitive data
WO2025134208A1 (en) Access management system, access management method and program
WO2012163587A1 (en) Distributed access control across the network firewalls
Chikhale et al. Security analysis of SDN cloud applications
Rivera et al. Expressing and managing network policies for emerging HPC systems
DS et al. Bilevel access control and constraint‐aware response provisioning in edge‐enabled software defined network‐internet of things network using the safeguard authentication dynamic access control model
US20240297903A1 (en) Access control system, access control method, and access control program
Ali et al. Research Article A Maturity Framework for Zero-Trust Security in Multiaccess Edge Computing
Varadharajan et al. Security Architecture for IoT
Symeonidis Cloud Computing security for efficient Big Data delivery

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23962131

Country of ref document: EP

Kind code of ref document: A1

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载