LAWRENCE, Kan. – April 25, 2024 – Cobalt Iron Inc., a leading provider of SaaS-based enterprise data protection, today announced that it has received a patent on its technology for dynamic authorization control based on Information Technology (IT) security and operational events.
U.S. patent No. 11902285, issued on Feb. 13, describes dynamic, multidimensional authorization control techniques that respond to changes or events in the environment and that improve over time based on machine learning. The company will implement these techniques in Cobalt Iron Compass, an enterprise SaaS backup platform.
Today's IT and data environments are rapidly changing. So, too, are the security requirements, such as the constantly changing need to respond to ever more sophisticated cyber attacks. The industry lacks authorization controls that respond to cyber threats, events, or other changes in the IT environment.
Authorization controls are the processes by which individuals or entities are validated to have proper security authentication (i.e., identity verification) and access control (permissions and privileges) to execute some action (e.g., access, view, move, write, delete, configure, etc.) against some resource (e.g., a building, bank account, applications, data, IT resources, operation centers, etc.). Existing techniques are typically two-dimensional in nature, providing control over functional permissions and the domain, or scope, of those permissions.
It is common for IT administrators to have many roles and to move frequently between different teams, some of which are transient, and some of which could partially or completely overlap or even conflict. In addition, roles may change in different operational environments (e.g., in different clouds, data centers, projects, stages of a project, etc.).
For example, a systems administrator could also be assigned to a data center migration team, a disaster recovery test team, an audit team, or other project roles. The required authentication controls will likely be different for each of those various roles. Existing approaches are typically static and simply maintain the same authorization for the administrator no matter what role or project team they might be working on. This practice could result in inappropriate access, thereby increasing business risk.
Furthermore, in most current environments, authentication roles and associated permissions are often left in place for long periods of time, sometimes years, without further validation or adjustment. As job responsibilities, projects, applications, architectures, and business needs change, these stale roles and permission assignments often lead to security exposures.
This patent introduces approaches that provide more dynamic control of authentication privileges based on changing user roles, current security conditions, and historical analysis of past operational outcomes of authentication levels. The technology qualifies for a patent because it uses analytics and machine learning to make these dynamic adjustments. When fully implemented, the patented techniques will make it possible for Compass to:
- Inform analytics with historical data on security events, authentication levels for members of various teams, operational outcomes of those member authentication levels, evolving team member roles, and other data.
- Apply machine learning analytics to determine optimal adjustments to team and member authentication levels during security events.
- Monitor for various conditions and events, including a change in team member roles, a change in the locality of data or other resources, or indications of a cyber security event.
- Dynamically modify user authorization control, level, or duration based on the condition or event and the machine learning analysis.
- Leverage a cloud security profile in the determination of any user authorization modifications.
For example, if a user is acting in a different role on a different team, Compass may automatically adjust authorization control to the IT resources associated with the new role and team. In another example, analysis of operational outcomes of authentication controls during previous cyber security events might indicate a need to adjust authentication levels automatically during future security events to optimize business processes and reduce risk.
"Static authorization controls are an often overlooked security exposure for businesses. Once set, access control credentials are commonly left in place for long periods of time, are not reviewed, and are not adjusted for varying roles administrators may play in the organization," said Rob Marett, chief technology officer at Cobalt Iron. "One of the areas where Cobalt Iron continues to innovate is in analytics-based optimizations of authorization controls to IT resources. This patent is another example of that. Compass will use analysis of operational outcomes to optimize access credentials and reduce security exposures in IT environments."
