Search

US-12625995-B2 - System, methods, and devices for data storage and processing with identity management

US12625995B2US 12625995 B2US12625995 B2US 12625995B2US-12625995-B2

Abstract

Embodiments relate to data storage systems and data processing systems using a data hub, connector grid, and channel services. The systems can extract raw data from a plurality of source systems, and load and store the raw data at a data hub implemented by a non-transient data store. The systems can receive request to generate data for consumption and, in response, transmit generates data sets to channel services. The system can implement event detection and logging. The system can implement policy enforcement and identity management with access controls.

Inventors

  • Iouri MIKHAILOV
  • Ching Leong WAN

Assignees

  • BANK OF MONTREAL

Dates

Publication Date
20260512
Application Date
20240507

Claims (19)

  1. 1 . A system for identity and access management, comprising at least a processor and a non-transient data memory storage, the data memory storage containing machine-readable instructions for execution by the processor, the machine-readable instructions configured to, when executed by the processor: load and store raw data from a plurality of source systems at a data hub implemented by a non-transient data store; receive a request for an application and data at the data hub, the request indicating an enterprise credential, the application having application functions; map the enterprise credential to an enterprise identity; in response to the request, select a set of data from the raw data based on the enterprise identity using: a data map comprising a graph linking one or more data columns of the raw data to one or more data fields of an enterprise data set, and at least one access control rule corresponding to one or more constraints determined from a usage attribute of the application; transform the selected set of data into an enterprise data set; and transmit, to an interface of an information delivery platform, the enterprise data set.
  2. 2 . The system of claim 1 wherein the processor receives and stores event data linked to the enterprise credentials or enterprise identity.
  3. 3 . The system of claim 1 wherein the enterprise credentials comprise a device fingerprint.
  4. 4 . The system of claim 1 wherein the enterprise credentials comprise biometric data.
  5. 5 . The system of claim 1 wherein the application functions comprise a protected function, wherein control of the protected function comprises prompting for additional enterprise credentials prior to permitting access to the protected function.
  6. 6 . The system of claim 1 , wherein the data hub stores the raw data at the non-transient data store in a data format that is identical to a source data format of the raw data in the plurality of source systems.
  7. 7 . The system of claim 1 , wherein the data map is a visual graph linking one or more data columns of the raw data to one or more data fields of the set of data.
  8. 8 . The system of claim 1 , wherein the data map is generated based on data attributes stored in a metadata database.
  9. 9 . The system of claim 1 , wherein the data map is generated through machine learning techniques.
  10. 10 . The system of claim 1 , wherein the information delivery platform is further configured to define one or more access controls on data access, based on the enterprise identity.
  11. 11 . The system of claim 1 , wherein the information delivery platform is further configured to generate a data view based on the enterprise identity.
  12. 12 . The system of claim 11 , wherein the information delivery platform is further configured to update the data view based on the enterprise identity.
  13. 13 . The system of claim 1 , wherein the information delivery platform is further configured to receive data associated with the enterprise identity, update the enterprise data set, and transmit the update data.
  14. 14 . The system of claim 1 , wherein the information delivery platform is further configured to receive data associated with the enterprise identity and associate the data with data from the data hub using the data map.
  15. 15 . A computer-implemented method for executing by a processor, the method comprising: extracting, by the processor, raw data from a plurality of source systems; loading and storing the raw data at a data hub implemented by a non-transient data store; receiving a request to generate data for consumption, the request indicating an enterprise identity; in response to the request, selecting a set of data from the raw data based on a data map, the enterprise identity using: a data map comprising a graph linking one or more data columns of the raw data to one or more data fields of an enterprise data set, and at least one access control rule corresponding to one or more constraints determined from a usage attribute of the application; transforming the selected set of data into an enterprise data set based on the data map and the enterprise identity; and transmitting the enterprise data set.
  16. 16 . The method of claim 15 , wherein data hub stores the raw data at the non-transient data store in a data format that is identical to a source data format of the raw data in the plurality of source systems.
  17. 17 . The method of claim 15 , wherein the data map is a visual graph linking one or more data columns of the raw data to one or more data fields of the curated set of data.
  18. 18 . The method of claim 17 , wherein the data map is generated based on data attributes stored in a metadata database.
  19. 19 . The method of claim 17 , comprising generating the data map through machine learning techniques.

Description

CROSS REFERENCE TO RELATED APPLICATION This application is a continuation of U.S. application Ser. No. 17/837,817, filed on Jun. 10, 2022, which is a continuation of U.S. application Ser. No. 16/517,327, filed on Jul. 19, 2019, which claims priority to U.S. Provisional Application No. 62/700,388, filed on Jul. 19, 2018, the contents of which are hereby incorporated by reference herein for all purposes. This application relates to U.S. application Ser. No. 16/517,253, entitled SYSTEMS AND METHODS FOR DATA STORAGE AND PROCESSING, the contents of which is hereby incorporated by reference. FIELD The present disclosure generally relates to the field of data storage systems and processing. INTRODUCTION A full-service financial service institution depends heavily on the use of technology to serve customers with a wide range of products and services. In addition, technology is used to meet stringent risk management and regulatory compliance. An organization with a long history typically has adopted a myriad range of technologies from legacy platforms like mainframe to modern capabilities like mobile and analytic applications. An organization might have a large set of applications (many hundreds) through acquisition and integration. To continue to deliver differentiating customer experience and transformation to keep pace or leap-frog competitors, both traditional and disruptive ones, an institution needs to be able to effectively and efficiently integrate the complex and diverse set of applications. An integrated enterprise not only forms the foundational capability to deliver any product and service across different channels, it also enables the ability to identify events and generates actionable insights to become an intelligent institution. SUMMARY In accordance with an aspect, there is provided systems and methods for identity and access management. Systems and methods can provide for authentication and authorization along with access control for business function and data. In some embodiments, Customer Identity and Access Management (CIAM) system provides an enterprise credential store per customer. The credential(s) can be used to identify the customer through cross-referencing with the Enterprise Customer Information Facility (ECIF). This in turn can map to the application functions and data entitlement and CIAM can perform the access enforcement at multiple layers of the architecture accordingly. In addition to being integrated with ECIF and the various architecture layer, CIAM also support integration to other credential functions, such as biometric credential, and other authentication flow, such as step-up multi-factor authentication. In accordance with an aspect, there is provided systems and methods for identity and access management that involves receiving enterprise credentials (e.g. an organization identifier). An organization can use one credential for the different channels or can use multiple credentials. The system can map credentials back to an identity (e.g. password can be a credential that can link to a customer identity). There can be multiple credentials that can link back to same identity. In some embodiments there can be different credentials for same identity. The system can involve enforcement of credentials or access controls. For example, a customer can be allowed to use the application and access controls can control which functions within the application that the customer is authorized for. The controls can indicate whether the customer needs to provide more information to use protected functions within an application. For example, in a bank a wire payment over $1M may trigger the need to provide higher level authentication data or additional credential data (e.g. one time code). It can indicate the type of required credential data which can vary depending on application function. The access controls also indicate data entitlement. The system can integrate with different channels and different types of authentication systems such as biometric and device fingerprint. The system can capture event data related to use of credentials or activity otherwise like to the enterprise identity to generate insights relevant to identity management (e.g. how many log ins for an enterprise credential). The control mechanism that can define control of the protected function can be policy and/or risk based. Policy based means control is determined by business rules. (e.g., wire payment over $1M). Risk based can refer to contextual usage based on data accessed by the system (e.g., if the user is logging in from suspicious geographic location (system can detect based on IP address range or if the user device is reported to be stolen (there are global providers of this information that an organization has subscribed to). In accordance with an aspect there is provided a system for identity and access management. The system has a processor and a non-transient data memory storage. The processor configured