View All Documents & Correspondence
A Computer Implemented System And Method For Managing Shared Accounts
Abstract: A computer implemented system and method for managing shared accounts has been disclosed. The system includes an access control means and an access control station. The access control station comprises sensing means adapted to sense access requests corresponding to the shared accounts and redirecting means for redirecting sensed requests to the access control station. The access control station comprises a repository for storing authentication credentials of a plurality of qualified shared account users and secured credentials and/or passwords for accessing the shared accounts. The access control station prompts the requestors of said redirected sensed requests for authentication credentials. The access control station compares the authentication credentials received from the requestors on prompt with the authentication credentials stored in the repository and based on the comparison provides access to the shared accounts to the requestors.
Notices, Deadlines & Correspondence
Patent Information
Applicants
TATA CONSULTANCY SERVICES LTD.
Inventors
1. RAMAMOORTHY, VINOD SRINIVAS
2. SHUKLA, MANISH
3. LODHA, SACHIN PREMSUKH
4. CHAMARTY, SITARAM
Specification
FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENTS RULES, 2003
COMPLETE SPECIFICATION
(See Section 10; Rule 13)
A COMPUTER-IMPLEMENTED SYSTEM AND METHOD FOR MANAGING SHARED ACCOUNTS
TATA CONSULTANCY SERVICES LTD.
an Indian Company of Nirmal Building, 9th floor, Nariman Point, Mumbai 400 021,
Maharashtra, India
The following specification particularly describes the invention and the manner in
which it is to be performed
FIELD OF THE DISCLOSURE
The present disclosure relates to the field of implementing access control mechanisms.
Specifically, the present disclosure relates to the field of managing shared accounts and providing controlled access to data sources accessible through the shared accounts.
DEFINITIONS OF TERMS USED IN THE SPECIFICATION
The term 'shared accounts' in this specification, relates to user accounts which are assigned unrestricted access rights and are shared among associates within the organization for performing administrative, diagnostic, management or operational tasks. For instance, in a trading application, administrators / technical personnel are required to perform tasks like redirecting funds, buying/selling stocks on behalf of the customers, which require them to login via shared accounts to access sensitive customer data to perform the desired operations.
The term 'privileged accounts' refers to any type of user account that holds special or extra access permissions. Privileged accounts are usually categorized into the following types:
1. Generic/Shared Administrative Accounts - the non-personal accounts that exist in virtually every device or software application. These accounts hold "super user" privileges and are often shared among multiple personnel. Some examples of administrative accounts include but are not restricted to Windows aadministrator user account, UNIX root user account, and Oracle SYS account.
2. Privileged Personal Accounts - Privileged personal accounts are typically used by business users and IT personnel. These accounts have a high level of privilege and their use or misuse significantly affects the corresponding organization's business. Some examples of Privileged Password Accounts include but are not restricted to the CFO's user account and DBA user account.
3. Application Accounts -accounts used by a particular application to access relevant databases and other relevant applications. These accounts typically have broad access to underlying business information in databases.
4. Emergency Accounts - special generic accounts used by an enterprise when elevated privileges are required to fix urgent problems, such as in cases of business continuity
or disaster recovery. Access to these accounts frequently requires managerial approval. These accounts are also termed as fire-call IDs or break-glass user accounts.
A privileged account can be described as a shared account, but not all the shared accounts can be referred to as privileged accounts because those shared accounts are not bound by extra access requirements or special access permissions. For example, a subscription account created by a third party service provider for a service consumer would classify as a shared account but not as a privileged account since it does not incorporate any confidential and privileged data . Similarly, a vehicle insurance company needs frequent updates on the driving history of its client, like the accident history, tickets history and the like in order to decide upon the premium to be paid for the client. Normally in such cases, the driving history provider creates a unique account for the insurance company and many associates of the insurance company access the same either programmatically or through manual interaction. Similarly, in case of a multi vendor environment, a particular project is broken down into smaller independent components. These smaller components are then assigned to multiple vendors for implementation, who may or may not share common data. In case data sharing is required, the client creates a common account for all the vendors. In this case the client, offering the project, is the information provider and the vendors are the consumers.
From the aforementioned examples and from the definition of the 'Shared Accounts' following points could be inferred:
1. Accountability in case of a 'shared account' is low as there is no user access management system in place, and hence and no way of tracking who accessed the account and what changes are made.
2. Confidentiality associated with such shared accounts is low as there is no history corresponding to the people accessing the shared account is maintained, which may lead to the dissipation of confidential information to unauthorized individuals or systems.
3. The availability and functioning of the shared account itself is largely at risk because of non-systematic access and absence of a robust tracking system in place.
4. Password Management is a major task in case of 'Shared Accounts', which unlike regular identities is not associated with a single person and is shared amongst at least
a few associates, and hence a change scenario would involve identification of all the users and informing them of the new credentials or password.
5. In case of a shared account, password management might result in a denial of service, as the users accessing the shared account are not known in prior, therefore, a password change cycle may stop some of users from accessing the account till they get communication from the system/user about the password change.
6. Confidentiality of the password is always at risk. As per terms and conditions of most of the software applications, the access credentials of a particular application is meant to be used by a single user and is not non-transferable. But in case of a shared account, multiple users are provided with the credentials.
7. The integrity of the entire system is low as sensitive data could be modified undetectably given that there are minimal tracking and audit controls in place to track the users of shared accounts.
8. There is no detailed auditing possible for actions taken by the shared account users,
9. It is difficult to identify the user who had accessed the system/resource through the shared account at a particular time instance without ambiguity, so that the user cannot repudiate his/her actions.
The term 'network user' in this specification relates to any user accessing an application server or external system(s) via the Internet or any other computer network arrangement.
The term 'authentication credentials' in this specification relates to unique identification details associated with a network user to provide him/her access to a secured device or a secured web-site. For instance, authentication credentials can be a username and password.
BACKGROUND
Ensuring safety of information and critical data stored on computer systems is a critical issue in today's world. On one hand enterprises are providing an ever increasing number of services through computer systems for increasingly sophisticated and real time transactions. But at the same time, incidents such as hacker break-ins, computer terrorism or cyber terrorism and employee or former employee sabotage are on the rise. Thus, there is a need to
protect confidential and privileged information stored on computer systems from unauthorized and unethical users while keeping it accessible to the authorized users.
Typically, the user accounts utilized to access the confidential and privileged data are termed as privileged accounts. These accounts are termed as such because of the nature of the data being accessed using such accounts and also because of the fact that such accounts provide users with superior data access and manipulation rights and the access credentials are shared among few. Moreover, certain transactions such as the ones involving stocks, bonds, derivatives and combinations thereof are performed at an international level. These transactions are carried out using one or more shared data sources distributed over one or more computer systems. Such secure data sources include sensitive data about the trading services, price feed services, data feed services and the like. Such data sources are accessed using the shared accounts. Hence, these data sources must be protected against unauthorized access, unauthorized acquisition and unauthorized manipulation. Moreover, it is desirable to keep track of users who access such sensitive data sources using the shared accounts and subsequently work on the data associated with those data sources.
One common problem with the 'shared account' is that they don't have an access control separation, and hence it is difficult to keep track of any user's action for audit purpose. Auditing should be an essential part of 'shared accounts' as it provides the detailed auditing for actions taken by shared account users. This may include recording of the user's session as well as creating correlation between a generic/shared account and a person. Keeping track of users accessing such sensitive data sources helps in making those users accountable for the operations they perform on the sensitive data contained in those data sources.
Further, sensitive data sources can also be accessed via system accounts, administrator accounts such as Linux/Unix root accounts, service accounts, web based system accounts and accounts of technical users. These accounts are also considered to be highly sensitive because such accounts often provide users with the highest degree of autonomy as for as data manipulation is concerned and also because using these accounts, data sources containing highly sensitive data can be accessed. The manipulation of a shared account can create catastrophic effects since these accounts provide access to highly sensitive data and are normally used across the world by multiple users. Manipulation of a personal user account may not have catastrophic effects in terms of data security since the personal accounts are typically associated with individuals. However, manipulation of shared accounts can have
hazardous effects since these accounts provide access to sensitive data and are associated with multiple users.
There are many use cases in which 'shared account' is needed with the elevated access rights. For our claim of innovation and for describing the information security issues associated with such an account, we are just examining the web-application instance of that.
Given below are some of the factors that contribute to the difficulties associated with protecting sensitive data contained in the sensitive data sources against unauthorized access and usage:
1. Many organizations do not impose appropriate regulations on access and handling of shared accounts. Even if the regulations are in place they neglect the implementation of these regulations or fail to ensure thorough execution of the regulations;
2. In many organizations a particular group of users are provided with the rights to access shared accounts. Normally, the group of users will be provided with a common user id and common password. When more than one user accesses a shared account using the common user identification and the password, it is tedious to keep track of the operations performed on the shared account.
3. The fact that the shared accounts are accessed through shared user identification and password renders them vulnerable to hacker attacks and former employee sabotages since there is a possibility that the user identification and the password may be revealed to unauthorized users unknowingly.
4. The existing access control mechanisms that have been associated with the shared accounts may not be sufficient enough to prevent unauthorized users from accessing the 'shared account' as the credentials are known to many people in the organization and also to track each users session there is either no mechanism in place or the existing mechanism is too primitive to handle all the CIAA (Confidentiality, Integrity, Availability and Accountability) concerns;
5. When an employee having access rights to shared accounts resigns from the service or shifts to another project, the user identifications and the passwords of all the shared accounts to which the employee was given access must be changed. The change must be undertaken in order to avoid former employee sabotages and also to prevent the former employee from accessing the sensitive information, since he no longer requires access to those shared accounts. But many organizations either fail or neglect to
implement the process of change of user identifications and passwords especially when account credentials are shared with many users.
Given above are some of the factors that contribute to the difficulties associated with protecting sensitive data against unauthorized access and unauthorized usage. The lack of management of access rights associated with the shared accounts also contributes to the vulnerability associated with these accounts. Normally, in the corporate environment the employees are required to access third party websites and systems as a part of their job routine. These sites may also contain confidential and extremely critical data. Most of the sites are accessible through the internet and they can be accessed from outside the work environment and/or offshore development centre. The other places from where these critical sites can be accessed include cyber cafes and Wi-Fi zones. These places do not have the same level of data security arrangements as that of the offshore development centres. Since, access to these sites from outside the offshore development centre cannot be easily detected and curtailed due to lack of data security arrangements; any act of sabotage aimed at these critical sites can be easily accomplished. Sometimes, sharing the credentials corresponding to shared accounts with third parties is deemed necessary. In such cases if an employee who used to access the third party systems quits his/her job, then it becomes necessary to change the credentials corresponding to the shared accounts being made accessible to that particular employee who had access to the third party system. If the credentials are not changed, then such employee who has left his/her job would be able to access and use the shared accounts and the occurrence of such a phenomenon entails huge data security risks.
Most of the organizations are stringent in terms of management of access rights corresponding to normal user accounts such as the official email id and the like. But the management of shared accounts gets complicated by the fact that usage of shared accounts and the credentials corresponding to the shared accounts is often associated with group of users and not with single user.
Hence, there is felt a need for a system and a method that overcomes the aforementioned shortcomings and protects the data sources that contain sensitive information by permitting only the authorized users to access such data sources. There was also felt a need for a system that would assist in effective protection of shared accounts and helped in effective tracking and management of shared accounts throughout its life cycle.
OBJECTS
Some of the non limiting objects of the present invention are provided below.
It is an object of the present invention to provide a web based system for managing shared
accounts and protecting shared accounts against unauthorized access and unauthorized usage.
It is another object of the present invention to provide a system, which can be implemented with minimal changes to the existing hardware/software infrastructure.
It is yet another object of the present invention to provide a system which does not warrant any changes to the existing authentication infrastructure of the third party system or shared account holding system.
It is yet another object of the present invention to provide a system that effectively monitors the shared accounts in order to prevent misuse of private data stored in the shared accounts.
It is yet another object of the present invention to provide a system that produces an accurate account of log information corresponding to the shared accounts.
It is yet another object of the present invention to provide a system that is user friendly and easy to learn.
It is yet another object of the present invention to provide a system that provides user based authentication rules thereby avoiding sharing the user name and password amongst multiple users.
It is yet another object of the present invention to provide a system that provides additional level of security to the data by introducing two levels of authentication.
It is yet another object of the present invention to provide a system that automatically logs the users on to sensitive data sources, without providing them the original credentials corresponding to the shared account.
It is yet another object of the present invention to create lock based system to allow only one authenticated user at a time to access the third party system and there by avoiding any concurrency issues arising with multi user accessing the same system at same time.
These and other objects are to a great extent dealt with by the invention disclosed hereinafter.
SUMMARY OF THE INVENTION
The present invention envisages a computer implemented system for managing shared accounts. The system, in accordance with the present invention comprises an access control means and an access control station:
• the access control means comprising:
o sensing means adapted to sense access requests corresponding to the shared accounts;
o redirecting means for redirecting sensed requests to said access control station;
• the access control station comprising:
o a repository for storing authentication credentials of a plurality of qualified shared account users and secured credentials and/or passwords for accessing the shared accounts;
o receiving means adapted to receive the redirected sensed requests via Hyper Text Transfer Protocol (HTTP), Hyper Text Transfer Protocol Secured (HTTPS) and the like;
o prompting means adapted to prompt requestors of sensed requests for authentication credentials;
o comparator means adapted to compare the authentication credentials received from the requestors on prompt and the authentication credentials stored in the repository, the comparator means further adapted to optionally delegate it to an external authentication mechanism.
o shared account accessing means adapted to transmit the secured credentials and/or passwords, without reference to the requestors, to provide access to said shared account to said requestors only in the event that there is a match between the authentication credentials received from said requestors on prompt and the authentication
credentials stored in said repository or checking with the centralized authentication system exist in the client organization; and
o optional locking mechanism adapted to configure the time period for which a particular requestor accesses said shared account, said optional locking mechanism further adapted to facilitate time based locking and/or unlocking of the authentication credentials and/or secured credentials and/or passwords corresponding to a particular shared account(s) and a particular requestor(s) and stored in said repository, wherein said repository is configured to be accessed using Lightweight Directory Protocol (LDAP) or any other similar protocol.
Typically, in accordance with the present invention, the shared account accessing means includes time based expiration means adapted to allow one user to access the system at a time blocking all other users during the time allowed user is provided access.
Typically, in accordance with the present invention, the shared account accessing means further includes means to renew a time based expiration under pre determined conditions.
Typically, in accordance with the present invention, the repository is selected from the group consisting of standard database, organizations directory service accessible through Lightweight Directory Access Protocol (LDAP) or any other similar protocol and active directory.
Typically, in accordance with the present invention, the external authentication mechanism is Lightweight Directory Access Protocol (LDAP).
Typically, in accordance with the present invention, the access control station includes an exception generation means adapted to generate an exception in the event that the comparator means does not find a match between the authentication credentials received from the requestors on prompt and the authentication credentials stored in the repository.
Typically, in accordance with the present invention, the access control station is further adapted to initiate preventive measures in the event that the number of exceptions generated for a particular requestor exceeds a pre determined maximum limit.
Typically, in accordance with the present invention, the access control station includes storage means cooperating with the exception generation means and adapted to store the generated exceptions.
Typically, in accordance with the present invention, the access control station includes tracking means adapted to track and log the activities performed by said requestors using said shared account.
The present invention envisages a computer implemented method for managing shared accounts. The method in accordance with the present invention comprises the following steps:
• sensing access requests corresponding to said shared accounts;
• redirecting sensed requests to an access control station;
• prompting requestors of sensed requests for authentication credentials; this prompt can be from the access control station or from the central authentication mechanism available within the organization;
• comparing the authentication credentials received from requestors with the authentication credentials stored in the repository;
• transmitting secured credentials and/or passwords without reference to the requestors, to provide access of the shared account to the requestors only in the event that there is a match between the authentication credentials received from said requestors on prompt and the authentication credentials stored in said repository; and
• executing an optional locking mechanism to configure the time period for which a particular requestor accesses said shared account and to facilitate time based locking and/or unlocking of the authentication credentials and/or secured credentials and/or passwords corresponding to a particular shared account(s) and a particular requestor(s) and stored in said repository, wherein said repository is configured to be accessed using Lightweight Directory Protocol (LDAP) or any other similar protocol.
Typically, in accordance with the present invention, the method further includes the step of allowing one user to access the system at a time blocking all the users during the time allowed is provided access.
Typically, in accordance with the present invention, the method further includes the step of renewing a time based expiration based on pre determined conditions.
Typically, in accordance with the present invention, the method further includes the step of tracking and logging the activities performed by the requestors using the shared accounts.
Typically, in accordance with the present invention, the step of comparing the authentication credentials further includes the step of generating an exception in the event that there is no match between the authentication credentials received from the requestors on prompt and the authentication credentials stored in the repository.
Typically, in accordance with the present invention, the step of generating an exception further includes the step of storing the generated exception.
Typically, in accordance with the present invention, the step of generating an exception further includes the step of initiating preventive measures in the event that the number of exceptions generated for a particular requestor exceeds a pre determined maximum limit.
BRIEF DESCRIPTION OF THE ACCOMPANYING DRAWINGS
The present invention will now be described with reference to the accompanying drawings, in which:
FIGURE 1 illustrates a schematic of the system for managing shared accounts, in accordance with the present invention; and
FIGURE 2 illustrates a flowchart showing the steps for managing shared accounts, in accordance with the present invention.
DETAILED DESCRIPTION
The drawings and the description thereto are merely illustrative of a computer implemented system and method for managing shared accounts, and only exemplify the invention and in no way limit the scope thereof.
To overcome the difficulties associated with managing the shared accounts providing access to sensitive data sources, the present invention provides a system that acts as an intermediary between the user and the shared accounts. The system proposed by the present invention continuously monitors all the shared accounts and restricts unauthorized users from accessing the shared accounts. The proposed system protects the shared accounts from being utilized by unauthorized users by isolating the credentials corresponding to the shared accounts from network users.
The system in accordance with the present invention isolates the credentials corresponding to shared accounts and also reduces the overheads associated with employing and following stringent regulations and access control policies. The isolation of the credentials corresponding to the shared accounts also prevents these credentials from being revealed either purposefully or accidently to network users.
The present invention makes use of an access control station to which all the requests corresponding to accessing the shared accounts is deviated. The access control station requires the network user making the request to provide his/her unique authentication credentials. These unique authentication credentials are the first level authentication credentials and are different from the credentials corresponding to the shared account that the network user is trying to access. Subsequently the access control station verifies the authentication credentials provided by the network user and upon successful verification provides the network user with access to the shared account.
In the process of allowing the network user to access the shared account, the access control components prompt the user for his/her credentials corresponding to the 'shared account', and in case of successful authentication, the access control station relays the actual credentials of the 'shared account' and certain instructions to the access control means through Hyper Text Transfer Protocol (HTTP) ,Hyper Text Transfer Protocol Secured (HTTPS) or any other applicable protocol which in turn uses the actual credentials and the added instructions to automate the login process and without revealing it to the network user. By employing such a methodology, the system of the present invention makes sure that the credentials corresponding to the shared account are never revealed to the network user or is hard to intercept in transit and while automation of login process.
Further the system of the present invention includes a role management subsystem which manages the network user accounts assigned to network users by a particular enterprise. The
role management system facilitates creation of discrete user accounts and assigns unique authentication credentials to the network users. The authentication credentials provided by the role management subsystem are different from the credentials corresponding to the shared accounts.
In addition, the present system can be easily integrated with existing authentication mechanisms including single-sign on (SSO) or domain authentication subsystems for providing secured access to the data sources. Thus the present invention not only protects shared accounts from unauthorized access but also reduces the overheads of implementing stringent regulations and access control policies. Along with the aforementioned advantages, the present invention enables multiple users to access the data sources via their individual authentication credentials and without the knowledge of the original credentials, the credentials which are actually in place for protecting the shared account.
Referring to the accompanying drawings, FIGURE 1 shows an overview of the system for managing shared accounts. In accordance with the present invention, the network users are associated with a plurality of computer nodes. The network users via their respective computer nodes can raise requests to access application servers hosting the shared accounts.
The system in accordance with the present invention includes a role management subsystem (not shown in figures) which enables an administrator to create individual user accounts for each network user. The individual user accounts include the unique authentication credentials using which the network users would be able to make requests corresponding to accessing the shared accounts located on the application server. The role management means allows an administrator to bind specific network users to specific web applications/application servers using appropriate credentials. The authentication credentials corresponding to network users are stored in the repository 104. The repository 104 is selected from the group consisting of standard database, organizations directory service accessible through Lightweight Directory Access Protocol (LDAP) or any other similar protocol and active directory, where the credentials could be stored and made available on request. In accordance with the present invention, the administrator accesses the role management means and creates a new network user account by specifying a user name and a corresponding password. The user name and the password assigned to a particular network user by the role management means acts as the authentication credentials for that particular network user.
Further the system includes an access control means denoted by the reference numeral 100. Whenever a network user, via his/her computer node makes a request to access the application server hosting the shared account, such a request is sensed by the sensing means 100A associated with the access control means 100. Subsequently, the sensed request is redirected via redirecting means denoted by the reference numeral 100B to an access control station denoted by the reference numeral 102. The access control station 102 includes an optional locking mechanism which is adapted to facilitate time based locking and/or unlocking of the authentication credentials and/or secured credentials and/or passwords stored in repository 104 and corresponding to a particular shared account(s) and a particular requestor(s), thereby allowing only selected/ pre determined requestor(s) to access the access control station 102. The optional locking mechanism is further adapted to configure the time period for which a particular requestor accesses a shared account. After the expiration of the pre determined time period, the optional locking mechanism is adapted to automatically block the authentication credentials and/or secured credentials and/or passwords corresponding to that requestor so that such a requestor is no longer able to access the shared account.
The access control station 102, in accordance with the present invention includes receiving means denoted by the reference numeral 102A which is adapted to receive the redirected sensed signal. The access control station 102 further includes prompting means denoted by the reference numeral 102B which is adapted to prompt the network user (referred to as requestor hereafter) making the request to provide his/her authentication credentials. Typically the authentication credentials include a username and a password and typically the username and the password would have been allotted to the network users by the role management means. The authentication credentials received at the access control station 102 are typically in an encrypted format; this is guaranteed by the use of HTTPS connection and in case of use of HTTP the communication is encrypted before transmission to the access control station 102. The prompting means 102B includes an encryption means (not shown in figures) which is adapted to encrypt the authentication credentials provided by the network users in case of HTTP. The step of encryption is undertaken by The encryption means of the present invention in order to ensure the safe transmission of authentication credentials to the access control station 102. The encrypted authentication credentials are decrypted by the decryption means (not shown in figures) cooperating with the receiving means, only in the event that the transmission of the authentication credentials is accomplished using HTTP
Techniques well known in the art are utilized for encrypting and subsequently decrypting the authentication credentials.
The access control station 102 further includes the repository 104. The repository 104 is selected from the group consisting of standard database, organizations directory service accessible through Lightweight Directory Access Protocol (LDAP) or any other similar protocol and active directory, where the credentials could be stored and made available on request. The repository 104, in accordance with the present invention is adapted to store the authentication credentials corresponding to a plurality of qualified shared account users. The repository 104 is further adapted to store the secured credentials and passwords required to access the shared accounts. The repository 104 could be adapted to store the authentication credentials in an encrypted format in order to provide better security to the stored authentication credentials.
The access control station 102 further includes a comparator means denoted by the reference numeral 106 which is adapted to compare the authentication credentials received from the requestor with the authentication credentials stored in the repository 104. The comparator means 106 performs a one to one mapping of the received authentication credentials with the authentication credentials stored in the repository 104. The comparator means 106 is further adapted to optionally delegate the task of comparing the authentication credentials to an external authentication mechanism which includes at least the Lightweight Directory Access Protocol (LDAP). However, it is within the scope of the present invention, to make use of any other similar protocols.
In case if the comparator means 106 finds a match between the received authentication credentials and any of the authentication credentials stored in the repository 104 , then the comparator means triggers the shared account accessing means 108 which in turn fetches the credentials and/or passwords corresponding to shared account for which the requestor is requesting the access. Subsequently, the shared account accessing means 108 transmits the fetched secured credentials and password, using HTTP or HTTPS, to the logging means 100C which is a part of the access control means 100 for automating the login process, without revealing the secured credentials and/or password to the requestor. The shared account accessing means cooperates with the logging means 100C to provide the requestor with access to the requested shared account. By not revealing the credentials corresponding to the shared account to the network user, the shared account accessing means 108 and logging
means 100C make sure that the shared account cannot be hacked onto and that the sensitive and confidential data stored in the shared account remains secured. The secured credentials transmission to the logging means 100C helps in avoiding any network based sniffing attacks.
The shared account accessing means 108, in accordance with the present invention includes time based expiration means (not shown in figures) which is adapted to allow one user to access the system at a time by blocking all other users during the time allowed user is provided access to the system. At the time an allowed user is accessing the system, all the other users will be blocked from accessing the system thereby granting exclusive access to the allowed user. The shared account accessing means 108 further includes means (not shown in figures) to renew a time based expiration under pre determined conditions. Using the phenomenon of time based expiration, the time period for which a particular requestor/user accesses the shared accounts can be pre configured. Subsequently, after the expiration of the pre determined time period the authentication credentials and the security credentials will be locked, so that the corresponding user can not have access to the shared account. Similarly, after expiration of the pre determined time period the time based expiration corresponding to requestor(s) and particular shared account(s) can be renewed thereby granting the requestor(s) extended access to the shared account(s).
In accordance with the present invention, in case if the comparator means 106 does not find a match between the received authentication credentials and the authentication credentials stored in the repository 104, then the comparator means 106 signals an exception generation means 110 which generates an exception corresponding to the mismatch between the received authentication credentials and the stored authentication credentials. The exception generation means 110 subsequently signals the prompting means 102B which prompts the requestor to re-enter the authentication credentials. The exception generation means is further adapted to keep track of the number of exceptions generated for a particular network user. When the exceptions exceed a pre determined maximum permissible number of re-entries, then the exception generation means 110 signals the access control station 102 to initiate preventive action. The preventive action includes sending an alert containing information about the network user making the requests using invalid authentication credentials, blocking such a requestor from making any further attempts at providing his/her authentication credentials or blocking the IP address of the computer node from where the invalid requests are being generated.
In accordance with the present invention, if the network user enters invalid credentials for the first time, the logging means 112 creates a log of the event, the event in this case being that the network user has entered invalid credentials during his first attempt towards providing the authentication credentials. The number of attempts, a particular requestor could make towards entering the authentication credentials can be decided upon by the system administrator. Alternatively, the maximum permissible number of attempts that are allowed to the requestor to enter the authentication credentials can also be decided based on the policies of the organization that is implementing the system of the present invention. While entering the credentials, if the requestor makes consecutive invalid attempts, thereby exceeding the maximum permissible number of attempts allotted to a user to provide valid authentication credentials, then access control station 104 alerts the logging means 112 which creates the log of the event. The event in this case being that the requestor has entered wrong credentials and has exceeded the maximum permissible attempts allotted to him/her to provide valid authentication credentials. Subsequently, the information about the requestor's computer node using which invalid attempts were made to log on to a shared account, is passed on to the administrator.
The system, in accordance with the present invention further includes storage means (not shown in figures) adapted to store the generated exceptions. In accordance with the present invention, the logging means 112 cooperates with a report generation means 114 which receives all the information about the logs created by the logging means 112 and subsequently generates a log report that includes the relevant log information corresponding to every network user and every shared account, thereby allowing the system administrator to keep a tab on the activities of the network users who are accessing the shared accounts. The report generation means 114 also aids the system administrator in keeping a tab on all the operations being performed on the shared accounts hosted on the application server.
The system in accordance with the present invention also includes a tracking means 116 which is adapted to track the activities performed by the requestor obtaining the access to a shared account. The tracking means 116 cooperates with the logging means 112 to generate the logs corresponding to the activities performed by the requestors having access to the shared accounts. The tracking means 112 also cooperates with report generation means 114 to enable the report generation means 114 to generate the reports corresponding to the activities performed by a particular requestor on a particular shared account.
The present invention envisages a computer implemented method for managing shared accounts. As seen in FIGURE 2, the method includes the following steps:
• sensing access requests corresponding to said shared accounts 200;
• redirecting sensed requests to an access control station 202;
• storing authentication credentials of a plurality of qualified shared account users and secured credentials and/or passwords for accessing the shared accounts, in a repository 204;
• prompting requestors of said sensed requests for authentication credentials 206;
• comparing the authentication credentials received from said requestors on prompt with the authentication credentials stored in said repository or optionally delegating it to an external authentication mechanism 208;
• transmitting the secured credentials and password without reference to said requestors, to provide access of said shared accounts to said requestors only in the event that there is a match between the authentication credentials received from said requestors on prompt and the authentication credentials stored in said repository 210; and
• executing an optional locking mechanism to configure the time period for which a particular requestor accesses said shared account and to facilitate time based locking and/or unlocking of the authentication credentials and/or secured credentials and/or passwords corresponding to a particular shared account(s) and a particular requestor(s) and stored in said repository, wherein said repository is configured to be accessed using Lightweight Directory . Protocol (LDAP) or any other similar protocol 212.
In accordance with the present invention, the method further includes the step of allowing one user to access the system at a time blocking all the users during the time allowed is provided access.
In accordance with the present invention, the method further includes the step of renewing a time based expiration based on pre determined conditions.
In accordance with the present invention, the method further includes the step of tracking and logging the activities performed by the requestor using the shared account.
In accordance with the present invention, the step of comparing the authentication credentials further includes the step of generating an exception in the event that there is no match between the authentication credentials received from the requestor and the authentication credentials stored in the repository.
In accordance with the present invention, the step of generating an exception further includes the step of storing the generated exception.
In accordance with the present invention, the step of generating an exception further includes the step of initiating preventive measures in the event that the number of exceptions generated for a particular requestor exceeds a pre determined maximum limit.
TECHNICAL ADVANTAGES
The technical advantages of the present invention are as follows:
• providing a computer implemented system for managing shared accounts and protecting shared accounts against unauthorized access and unauthorized usage; this ensures the confidentiality of the password and as well as that of data;
• providing a computer implemented system that ensures the seamless integration of the system of invention with the existing infrastructure and applications;
• minimizing the changes required to existing authentication infrastructure and ensuring the seamless integration of the system of the invention with the existing infrastructure and applications;
• providing a computer implemented system for extending the use of existing authentication mechanisms including Single Sign On and Domain Authentication subsystems for managing the user authentication for providing shared account access thereby demonstrating the extensible nature of the system and also the seamless integration of the system with the existing authentication mechanism.
• providing a computer implemented system for monitoring the shared accounts in order to prevent misuse of sensitive data and to ensure accountability on the part of the shared account users;
• providing a computer implemented system for maintaining and tracking the integrity of the shared account;
• providing a computer implemented system for producing accurate access log information corresponding to the shared accounts usage and access to ensure accountability on the part of the shared account users;
• providing unique user based authentication rules thereby avoiding sharing of authentication credentials amongst multiple users and maintaining the confidentiality of the credentials and/or password;
• automatically logging the network users on to sensitive data sources or websites, without providing them the original authentication credentials corresponding to the shared accounts, thus isolating the shared account credentials from network users; and
• providing a computer implemented system that does not necessitate creation of different shared accounts on different systems as and when new users join or leave the organization, as the system of the present invention can act as mediator to access the site having shared account. This demonstrates the system's capability to introduce a fine grained access control and also ensures proper authorization for accessing the data.
While considerable emphasis has been placed herein on the particular features of this invention, it will be appreciated that various modifications can be made, and that many changes can be made in the preferred embodiment without departing from the principles of the invention. These and other modifications in the nature of the invention or the preferred embodiments will be apparent to those skilled in the art from the invention herein, whereby it is to be distinctly understood that the foregoing descriptive matter is to be interpreted merely as illustrative of the invention and not as a limitation.
We Claim:
1. A computer implemented system for managing shared accounts, said system comprising an access control means and an access control station:
• said access control means comprising:
o - sensing means adapted to sense access requests corresponding to said shared accounts; and
o redirecting means for redirecting sensed requests to said access control station;
• said access control station comprising:
o a repository for storing authentication credentials of a plurality of qualified shared account users and secured credentials and/or passwords for accessing said shared accounts;
o receiving means adapted to receive said redirected sensed requests;
o prompting means adapted to prompt requestors of said redirected sensed requests for authentication credentials;
o comparator means adapted to compare the authentication credentials received from said requestors on prompt with the authentication credentials stored in said repository, said comparator means adapted to optionally delegate it to an external authentication mechanism;
o shared account accessing means adapted to transmit said secured credentials and/or passwords, without reference to said requestors, to provide access to said shared accounts to said requestors only in the event that there is a match between the authentication credentials received from said requestors on prompt and the authentication credentials stored in said repository; and
o optional locking mechanism adapted to configure the time period for which a particular requestor accesses said shared account, said optional locking mechanism further adapted to facilitate time based locking
and/or unlocking of the authentication credentials and/or secured credentials and/or passwords corresponding to a particular shared account(s) and a particular requestor(s) and stored in said repository, wherein said repository is configured to be accessed using Lightweight Directory Protocol (LDAP) or any other similar protocol.
2. The system as claimed in claimed in claim 1, wherein said shared account accessing means includes time based expiration means adapted to allow one user to access the system at a time blocking all other users during the time allowed user is provided access.
3. The system as claimed in claim 1 or 2, wherein said shared account accessing means further includes means to renew a time based expiration under pre determined
conditions.
4. The system as claimed in claim 1, wherein said external authentication mechanism is Lightweight Directory Access Protocol (LDAP).
5. The system as claimed in claim 1, wherein said repository stores the authentication credentials of the plurality of qualified shared account users and secured credentials and/or passwords for accessing said shared accounts in an encrypted format.
6. The system as claimed in claim 1 or 5 wherein said repository is selected from the group consisting of standard database, organizations directory service accessible through Lightweight Directory Access Protocol (LDAP) or any other similar protocol and active directory.
7. The system as claimed in claim 1, wherein said access control station includes an exception generation means adapted to generate an exception in the event that said comparator means does not find a match between the authentication credentials received from said requestors on prompt and the authentication credentials stored in said repository.
8. The system as claimed in claim 1, wherein said access control station is further adapted to initiate preventive measures in the event that the number of exceptions generated for a particular requestor exceeds a pre determined maximum limit.
9. The system as claimed in claim 1, wherein said access control station includes storage means cooperating with said exception generation means and adapted to store the generated exceptions.
10. The system as claimed in claim 1, wherein said access control station includes tracking means adapted to track and log the activities performed by said requestor using said shared account.
11. A computer implemented method for managing shared accounts, said method comprising the following steps:
• sensing access requests corresponding to said shared accounts;
• redirecting sensed requests to an access control station;
• storing authentication credentials of a plurality of qualified shared account users and secured credentials and/or passwords for accessing the shared accounts, in a repository;
• prompting requestors of redirected sensed requests for authentication credentials;
• comparing the authentication credentials received from said requestors with the authentication credentials stored in said repository or optionally delegating it to an external authentication mechanism;
• transmitting said secured credentials and/or passwords without reference to said requestors, to provide access of said shared accounts to said requestors only in the event that there is a match between the authentication credentials received from said requestors on prompt and the authentication credentials stored in said repository; and
• executing an optional locking mechanism to configure the time period for which a particular requestor accesses said shared account and to facilitate time based locking and/or unlocking of the authentication credentials and/or secured credentials and/or passwords corresponding to a particular shared account(s) and a particular requestor(s) and stored in said repository, wherein
said repository is configured to be accessed using Lightweight Directory Protocol (LDAP) or any other similar protocol.
12. The method as claimed in claim 11, wherein the method further includes the step of allowing one user to access the system at a time blocking all the users during the time allowed is provided access.
13. The method as claimed in claim 11, wherein the method further includes the step of renewing a time based expiration based on pre determined conditions.
14. The method as claimed in claim 11, wherein the method further includes the step of tracking and logging the activities performed by said requestors using said shared accounts.
15. The method as claimed in claim 11, wherein the step of comparing the authentication credentials further includes the step of generating an exception in the event that there is no match between the authentication credentials received from said requestors on prompt and the authentication credentials stored in said repository.
16. The method as claimed in claim 15, wherein the step of generating an exception further includes the step of storing the generated exception.
17. The method as claimed in claim 15 or 16, wherein the step of generating an exception further includes the step of initiating preventive measures in the event that the number of exceptions generated for a particular requestor exceeds a pre determined maximum limit.
Documents
Orders
| Section | Controller | Decision Date |
|---|---|---|
Application Documents
| # | Name | Date |
|---|---|---|
| 1 | 3287-MUM-2010-FORM 1(29-12-2010).pdf | 2010-12-29 |
| 1 | 3287-MUM-2010-IntimationOfGrant18-09-2023.pdf | 2023-09-18 |
| 2 | 3287-MUM-2010-CORRESPONDENCE(29-12-2010).pdf | 2010-12-29 |
| 2 | 3287-MUM-2010-PatentCertificate18-09-2023.pdf | 2023-09-18 |
| 3 | Other Patent Document [08-10-2016(online)].pdf | 2016-10-08 |
| 3 | 3287-MUM-2010-FORM-26 [09-05-2023(online)].pdf | 2023-05-09 |
| 4 | abstract1.jpg | 2018-08-10 |
| 4 | 3287-MUM-2010-Written submissions and relevant documents [09-05-2023(online)].pdf | 2023-05-09 |
| 5 | 3287-MUM-2010-FORM 5(2-12-2011).pdf | 2018-08-10 |
| 5 | 3287-MUM-2010-Correspondence to notify the Controller [20-04-2023(online)].pdf | 2023-04-20 |
| 6 | 3287-MUM-2010-FORM-26 [20-04-2023(online)].pdf | 2023-04-20 |
| 6 | 3287-mum-2010-form 3.pdf | 2018-08-10 |
| 7 | 3287-MUM-2010-US(14)-HearingNotice-(HearingDate-24-04-2023).pdf | 2023-04-05 |
| 7 | 3287-mum-2010-form 26.pdf | 2018-08-10 |
| 8 | 3287-MUM-2010-Response to office action [12-09-2020(online)].pdf | 2020-09-12 |
| 8 | 3287-mum-2010-form 2.pdf | 2018-08-10 |
| 9 | 3287-MUM-2010- ORIGINAL UR 6(1A) FORM 26-110919.pdf | 2019-11-20 |
| 9 | 3287-mum-2010-form 2(title page).pdf | 2018-08-10 |
| 10 | 3287-MUM-2010-ABSTRACT [16-09-2019(online)].pdf | 2019-09-16 |
| 10 | 3287-MUM-2010-FORM 2(TITLE PAGE)-(2-12-2011).pdf | 2018-08-10 |
| 11 | 3287-MUM-2010-CLAIMS [16-09-2019(online)].pdf | 2019-09-16 |
| 11 | 3287-MUM-2010-FORM 2(2-12-2011).pdf | 2018-08-10 |
| 12 | 3287-MUM-2010-COMPLETE SPECIFICATION [16-09-2019(online)].pdf | 2019-09-16 |
| 12 | 3287-MUM-2010-FORM 18(4-12-2013).pdf | 2018-08-10 |
| 13 | 3287-MUM-2010-FER_SER_REPLY [16-09-2019(online)].pdf | 2019-09-16 |
| 13 | 3287-mum-2010-form 1.pdf | 2018-08-10 |
| 14 | 3287-mum-2010-drawing.pdf | 2018-08-10 |
| 14 | 3287-MUM-2010-FORM-26 [09-09-2019(online)].pdf | 2019-09-09 |
| 15 | 3287-MUM-2010-DRAWING(2-12-2011).pdf | 2018-08-10 |
| 15 | 3287-MUM-2010-FER.pdf | 2019-07-25 |
| 16 | 3287-MUM-2010-ABSTRACT(2-12-2011).pdf | 2018-08-10 |
| 16 | 3287-mum-2010-description(provisional).pdf | 2018-08-10 |
| 17 | 3287-MUM-2010-DESCRIPTION(COMPLETE)-(2-12-2011).pdf | 2018-08-10 |
| 17 | 3287-MUM-2010-CLAIMS(2-12-2011).pdf | 2018-08-10 |
| 18 | 3287-MUM-2010-CORRESPONDENCE(2-12-2011).pdf | 2018-08-10 |
| 18 | 3287-mum-2010-correspondence.pdf | 2018-08-10 |
| 19 | 3287-MUM-2010-CORRESPONDENCE(4-12-2013).pdf | 2018-08-10 |
| 20 | 3287-MUM-2010-CORRESPONDENCE(2-12-2011).pdf | 2018-08-10 |
| 20 | 3287-mum-2010-correspondence.pdf | 2018-08-10 |
| 21 | 3287-MUM-2010-CLAIMS(2-12-2011).pdf | 2018-08-10 |
| 21 | 3287-MUM-2010-DESCRIPTION(COMPLETE)-(2-12-2011).pdf | 2018-08-10 |
| 22 | 3287-MUM-2010-ABSTRACT(2-12-2011).pdf | 2018-08-10 |
| 22 | 3287-mum-2010-description(provisional).pdf | 2018-08-10 |
| 23 | 3287-MUM-2010-DRAWING(2-12-2011).pdf | 2018-08-10 |
| 23 | 3287-MUM-2010-FER.pdf | 2019-07-25 |
| 24 | 3287-MUM-2010-FORM-26 [09-09-2019(online)].pdf | 2019-09-09 |
| 24 | 3287-mum-2010-drawing.pdf | 2018-08-10 |
| 25 | 3287-mum-2010-form 1.pdf | 2018-08-10 |
| 25 | 3287-MUM-2010-FER_SER_REPLY [16-09-2019(online)].pdf | 2019-09-16 |
| 26 | 3287-MUM-2010-COMPLETE SPECIFICATION [16-09-2019(online)].pdf | 2019-09-16 |
| 26 | 3287-MUM-2010-FORM 18(4-12-2013).pdf | 2018-08-10 |
| 27 | 3287-MUM-2010-CLAIMS [16-09-2019(online)].pdf | 2019-09-16 |
| 27 | 3287-MUM-2010-FORM 2(2-12-2011).pdf | 2018-08-10 |
| 28 | 3287-MUM-2010-ABSTRACT [16-09-2019(online)].pdf | 2019-09-16 |
| 28 | 3287-MUM-2010-FORM 2(TITLE PAGE)-(2-12-2011).pdf | 2018-08-10 |
| 29 | 3287-MUM-2010- ORIGINAL UR 6(1A) FORM 26-110919.pdf | 2019-11-20 |
| 29 | 3287-mum-2010-form 2(title page).pdf | 2018-08-10 |
| 30 | 3287-mum-2010-form 2.pdf | 2018-08-10 |
| 30 | 3287-MUM-2010-Response to office action [12-09-2020(online)].pdf | 2020-09-12 |
| 31 | 3287-MUM-2010-US(14)-HearingNotice-(HearingDate-24-04-2023).pdf | 2023-04-05 |
| 31 | 3287-mum-2010-form 26.pdf | 2018-08-10 |
| 32 | 3287-MUM-2010-FORM-26 [20-04-2023(online)].pdf | 2023-04-20 |
| 32 | 3287-mum-2010-form 3.pdf | 2018-08-10 |
| 33 | 3287-MUM-2010-FORM 5(2-12-2011).pdf | 2018-08-10 |
| 33 | 3287-MUM-2010-Correspondence to notify the Controller [20-04-2023(online)].pdf | 2023-04-20 |
| 34 | abstract1.jpg | 2018-08-10 |
| 34 | 3287-MUM-2010-Written submissions and relevant documents [09-05-2023(online)].pdf | 2023-05-09 |
| 35 | Other Patent Document [08-10-2016(online)].pdf | 2016-10-08 |
| 35 | 3287-MUM-2010-FORM-26 [09-05-2023(online)].pdf | 2023-05-09 |
| 36 | 3287-MUM-2010-PatentCertificate18-09-2023.pdf | 2023-09-18 |
| 36 | 3287-MUM-2010-CORRESPONDENCE(29-12-2010).pdf | 2010-12-29 |
| 37 | 3287-MUM-2010-FORM 1(29-12-2010).pdf | 2010-12-29 |
| 37 | 3287-MUM-2010-IntimationOfGrant18-09-2023.pdf | 2023-09-18 |
Search Strategy
| 1 | searchstrat_01-07-2019.pdf |