Volatile User Access
Publication Date: 2016-Jun-02
The IP.com Prior Art Database
Automatic Creation of Privileged User id in relative to Approved Change Management Request activity, for the duration of the change window and also subsequent deletion of the same Privileged user id after the completion of Change window interval along with notification to the Change Owner.
Page 01 of 5
Volatile User Access
There has been considerable costs & efforts made to maintain Privilege Ids (user with admin access) within the organization and also prevent misuse of such Ids from security perspective. These ids need to be stored in a secured place with stringent security safeguard measures and process as well.Slight deviation in process can create a security breach and subsequent audit exposure.
When a change request is to be implemented in the System (Windows,Linux,Cisco,Netapp,Mainframe), a volatile privilege user id shall be created with the required level of access for implementing the change.The user id automatically gets removed from the system after specific time period (after the change window) and no longer is available for use.
This volatile nature of the User id ensures that this privileged user id need not be maintained securely for future use and is destroyed immediately after the work(change) associated is completed.
Use Case : A Change is scheduled to be executed on a Server System. The change request is discussed in the CAB (Change Approval Board) and gets approved in the Change Management Tool (like Remedy, Maximo etc).The tool (which is to be invented) shall read the Change Management Tool entries on a regular basis and picks out the approved the Changes.
The tool picks the "Affected Server" name from the ITIL tool and creates a Privileged user id for accessing the server in disabled state. The user id description is populated with Server Name, Time Stamp and executing Engineer Details. The tool sends an email to manager of the server environment for approval. The system enables the volatile user id when 2 conditions are met viz, approval email is received from the approver(manager) and few minutes before the Change Window.
The system sends an email to the Change Implementer the user id and password in separate emails or SMS or other modes of secure communication before the Change Window Start Time. The system also automatically disables the user id after the Change Window and deletes it after few days. However, the system also gives an option of Panic Button which can used when the Change window is extended beyond the scheduled time.This will ensure the Life of Volatile User id is extended beyond the change window time span in times of emergency.
The system also logs every actions it takes like creation of ids, email communication, deletion of created volatile i...