As various forms of distributed computing, such as cloud computing, have come to dominate the computing landscape, security has become a bottleneck issue that currently prevents the complete migration of various capabilities and systems associated with sensitive data, such as financial data, to cloud-based infrastructures, and/or other distributive computing models. This is because many owners and operators of data centers that provide access to data and other resources are extremely hesitant to allow their data and resources to be accessed, processed, and/or otherwise used, by virtual assets, such as virtual machine and server instances in the cloud.
One issue associated with the use of resources such as virtual assets, and other more traditional assets, is the need to control who is provided access to, and/or control of, the resources. For instance, in order to perform their assigned job or role within an organization, multiple parties within, or associated with, the organization my require access to resources owned by the organization.
As an even more specific example, in a cloud computing environment, an organization, such as an enterprise, may have literally thousands, or even tens of thousands, of resources, such as server instances, data storage instances, or other virtual assets, that are provided by a cloud service provider and are under the control of the organization. In many cases, the access to these resources is controlled by multiple account numbers assigned to the organization and controlling sub-sets of the resources assigned to the organization. The account numbers often are associated with different classes of resources, and/or used for different tasks, and/or with different security issues/levels.
As discussed above, in a cloud computing environment, an organization can control which resources a given party has access to by controlling the account numbers provided to the party. Consequently, by controlling the distribution of account numbers to a party, the organization can control which resources the party can access. In other cases, and in other computing environments, an organization can similarly control which resources a party can access by controlling the distribution of passwords, passphrases, digital certificates, encryption keys, or other secrets. In many cases, sets of allowed secrets are themselves controlled by other access data such as account numbers, access clearance codes, and/or any other access permissions data.
While controlling access to various resources using account numbers, secrets, and other access permissions can be an effective way of controlling a party's access to resources, accurately assigning, monitoring, and updating the permissions data which a given party within an organization should, or should not, be provided is currently a largely manual activity that consumes significant resources, and is often handled in an ad-hoc and inefficient manner. More problematic still is the fact that using current manual methods for assigning, monitoring, and updating the permissions data, there is often no systematic and effective mechanism for monitoring the trustworthiness of a given party and using this information to assign, monitor, and update the permissions data provided to that party. Consequently, using current methods for assigning, monitoring, and updating permissions data, there is significant potential for security gaps, human error, and inefficient and ineffective use of resources.
What is needed is a method and system to automatically obtain, monitor, and analyze the employment role data associated with a party, trust data associated with a party, and special permissions data associated with a party to assign, monitor, and update the permissions data provided to a party, and/or make recommendation regarding the permissions data provided to a party.