Search

US-12621292-B2 - Techniques for securing identity and access management operations via agents and relays

US12621292B2US 12621292 B2US12621292 B2US 12621292B2US-12621292-B2

Abstract

Systems and methods for secure execution of operations. A method includes executing a control message generated by a system that is external to a computing environment, wherein the control message indicates at least a resource within the computing environment and an operation type of an operation to be performed via the resource, wherein executing the control message includes causing execution the operation via the resource in order to generate operation results data. A secret is removed from a control message response in order to create a secured control message response, wherein the control message response is generated based on the operation results data. The secured control message response is transmitted to the system.

Inventors

  • Barak SHELEF
  • Yonatan SHAFRIR
  • Lior GALAM

Assignees

  • OASIS SECURITY LTD.

Dates

Publication Date
20260505
Application Date
20240916

Claims (12)

  1. 1 . A method for secure operation execution, wherein the method is performed by a first agent, comprising: executing a control message generated by a system that is external to a computing environment, wherein the control message indicates at least a resource within the computing environment and an operation type of an operation to be performed via the resource, wherein executing the control message includes causing execution the operation via the resource in order to generate operation results data, wherein the operation is a secret rotation operation, wherein the control message has attached relay instructions, wherein the relay instructions indicate a second agent as a destination for the control message, wherein causing the execution of the operation further comprises: relaying the control message to the second agent, wherein the second agent executes the control message in order to execute the operation via the resource; identifying a relay queue for relaying the control message to the second agent; establishing a connection with the relay queue, wherein the control message is relayed to the second agent via the relay queue; and causing the operation to be performed by causing a first secret stored in the vault to be replaced with a second secret, wherein the second secret has a secret identifier indicated in the operation results data; removing the second secret from a control message response in order to create a secured control message response, wherein the control message response is generated based on the operation results data, wherein removing the second secret from the control message response further comprises replacing an instance of the second secret in the control message response with the secret identifier; and transmitting the secured control message response to the system.
  2. 2 . The method of claim 1 , wherein the relay instructions further include instructions which cause the operation results data to be returned to the first agent when the relay instructions are executed by the second agent.
  3. 3 . The method of claim 1 , wherein the operation results data is received from the second agent via the relay queue.
  4. 4 . The method of claim 1 , wherein the method is performed by an agent deployed in the computing environment, wherein the agent is configured such that authentication credentials used by the agent to access the resource remain within a perimeter of the computing environment.
  5. 5 . The method of claim 1 , wherein the operation is performed with respect to a secret having a secret identifier, wherein removing the secret from the control message response further comprises: replacing an instance of the secret in the control message response with the secret identifier.
  6. 6 . A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process, the process comprising: executing a control message generated by a system that is external to a computing environment, wherein the control message indicates at least a resource within the computing environment and an operation type of an operation to be performed via the resource, wherein executing the control message includes causing execution the operation via the resource in order to generate operation results data, wherein the operation is a secret rotation operation, wherein the control message has attached relay instructions, wherein the relay instructions indicate a second agent as a destination for the control message, wherein causing the execution of the operation further comprises: relaying the control message to the second agent, wherein the second agent executes the control message in order to execute the operation via the resource; identifying a relay queue for relaying the control message to the second agent; establishing a connection with the relay queue, wherein the control message is relayed to the second agent via the relay queue; and causing the operation to be performed by causing a first secret stored in the vault to be replaced with a second secret, wherein the second secret has a secret identifier indicated in the operation results data; removing the second secret from a control message response in order to create a secured control message response, wherein the control message response is generated based on the operation results data, wherein removing the second secret from the control message response further comprises replacing an instance of the second secret in the control message response with the secret identifier; and transmitting the secured control message response to the system.
  7. 7 . A system for secure operation execution, comprising: a processing circuitry, wherein the system is a first system deployed within a computing environment; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the first system to perform the following steps via a first agent: executing a control message generated by a system that is external to a computing environment, wherein the control message indicates at least a resource within the computing environment and an operation type of an operation to be performed via the resource, wherein executing the control message includes causing execution the operation via the resource in order to generate operation results data, wherein the operation is a secret rotation operation, wherein the control message has attached relay instructions, wherein the relay instructions indicate a second agent as a destination for the control message, wherein the system is further configured to: relay the control message to the second agent, wherein the second agent executes the control message in order to execute the operation via the resource; identify a relay queue for relaying the control message to the second agent; establish a connection with the relay queue, wherein the control message is relayed to the second agent via the relay queue; cause the operation to be performed by causing a first secret stored in the vault to be replaced with a second secret, wherein the second secret has a secret identifier indicated in the operation results data; remove the second secret from a control message response in order to create a secured control message response, wherein the control message response is generated based on the operation results data, wherein removing the second secret from the control message response further comprises replacing an instance of the second secret in the control message response with the secret identifier; and transmit the secured control message response to the system.
  8. 8 . The system of claim 7 , wherein the relay instructions further include instructions which cause the operation results data to be returned to the first agent when the relay instructions are executed by the second agent.
  9. 9 . The system of claim 7 , wherein the operation results data is received from the second agent via the relay queue.
  10. 10 . The system of claim 7 , wherein the system is configured to execute the control message via an agent deployed in the computing environment, wherein the agent is configured such that authentication credentials used by the agent to access the resource remain within a perimeter of the computing environment.
  11. 11 . The system of claim 7 , wherein the operation is performed with respect to a secret having a secret identifier, wherein the system is further configured to: replace an instance of the secret in the control message response with the secret identifier.
  12. 12 . The system of claim 7 , wherein the operation is a secret rotation operation, wherein the resource indicated in the control message is a vault, wherein the secret is a second secret, wherein the system is further configured to: cause the secret rotation operation to be performed by causing a first secret stored in the vault to be replaced with the second secret, wherein the second secret has a secret identifier indicated in the operation results data, wherein removing the secret from the control message response further comprises: replace an instance of the second secret in the control message response with the secret identifier.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application claims the benefit of U.S. Provisional Application No. 63/660,033 filed on Jun. 14, 2024, the contents of which are hereby incorporated by reference. TECHNICAL FIELD The present disclosure relates generally to identity and access management (IAM), and more specifically to cybersecurity for IAM operations. BACKGROUND Identity and access management (IAM) is a set of policies, services, and technologies used to control access to and use of digital resources. IAM systems work to keep malicious entities from accessing these resources and to ensure that users have certain permissions to use these resources while placing restrictions on such use. As organizations increasingly turn to cloud computing for their computing needs and the number of identities being managed increases, the need for robust IAM systems which can continuously operate safely remains important. To ensure that the correct entities are granted access to resources and to ensure that those entities comply with any restrictions or limitations on their use of those resources, IAM techniques include authenticating users in order to verify the identity of the user before granting access. Once a user has been authenticated, access may be controlled based on the identity of the user (e.g., by granting the user the ability to use resources as determined based on their identity). Authentication may utilize credentials such as identity information (e.g., usernames) and secrets (e.g., passwords). To this end, various IAM solutions use systems to track and maintain these credentials. For example, identity provider systems may maintain information about identities, which users are associated with identities, privileges for identities, and the like. Additionally, secret vaults may store secrets to be used during authentication, and may also keep logs of secret use. It would therefore be advantageous to provide a solution that would overcome the challenges noted above. SUMMARY A summary of several example embodiments of the disclosure follows. This summary is provided for the convenience of the reader to provide a basic understanding of such embodiments and does not wholly define the breadth of the disclosure. This summary is not an extensive overview of all contemplated embodiments, and is intended to neither identify key or critical elements of all embodiments nor to delineate the scope of any or all aspects. Its sole purpose is to present some concepts of one or more embodiments in a simplified form as a prelude to the more detailed description that is presented later. For convenience, the term “some embodiments” or “certain embodiments” may be used herein to refer to a single embodiment or multiple embodiments of the disclosure. Certain embodiments disclosed herein include a method for secure operation execution. The method comprises: executing a control message generated by a system that is external to a computing environment, wherein the control message indicates at least a resource within the computing environment and an operation type of an operation to be performed via the resource, wherein executing the control message includes causing execution the operation via the resource in order to generate operation results data; removing a secret from a control message response in order to create a secured control message response, wherein the control message response is generated based on the operation results data; and transmitting the secured control message response to the system. Certain embodiments disclosed herein also include a non-transitory computer readable medium having stored thereon causing a processing circuitry to execute a process, the process comprising: executing a control message generated by a system that is external to a computing environment, wherein the control message indicates at least a resource within the computing environment and an operation type of an operation to be performed via the resource, wherein executing the control message includes causing execution the operation via the resource in order to generate operation results data; removing a secret from a control message response in order to create a secured control message response, wherein the control message response is generated based on the operation results data; and transmitting the secured control message response to the system. Certain embodiments disclosed herein also include a system for secure operation execution. The system acts as a first system. The system comprises: a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the first system to: execute a control message generated by a second system that is external to the computing environment, wherein the control message indicates at least a resource within the computing environment and an operation type of an operation to be performed via the resource, wherein executing the control