Search

US-12627668-B2 - Role-based access control recommendation systems

US12627668B2US 12627668 B2US12627668 B2US 12627668B2US-12627668-B2

Abstract

A method for role-based access control recommendation includes obtaining one or more security logs from a security analytics platform. The method includes determining access rights to the one or more security logs for one or more users of the security analytics platform. The determining includes generating one or more clusters of security logs based on the one or more security logs. The determining includes providing, to a user of the security analytics platform, a recommendation for a first data access group for the security analytics platform based on a first cluster of the one or more clusters. The determining includes, responsive to input from the user of the security analytics platform, generating the first data access group for the security analytics platform based on the first cluster of the one or more clusters.

Inventors

  • James Paul Black

Assignees

  • GOOGLE LLC

Dates

Publication Date
20260512
Application Date
20240509

Claims (20)

  1. 1 . A method to provide access group recommendations, comprising: obtaining a plurality of security logs from a security analytics platform, wherein: each security log of the plurality of security logs indicates an action occurring on a computing system, and each security log of the plurality of security log comprises a plurality of key-value pairs; and determining access rights to the plurality of security logs for a plurality of users of the security analytics platform, wherein the plurality of users include a first subset of the plurality of users having access to a first subset of the plurality of security logs, and wherein the determining comprises: generating a plurality of clusters of security logs based on at least a portion of the key-value pairs of the plurality of security logs, providing, to a user of the security analytics platform, a recommendation for a first data access group for the security analytics platform based on a first cluster of the plurality of clusters, wherein the first data access group comprises data indicating the first subset of the plurality of security logs of the security analytics platform and the first subset of the plurality of users to have access to the subset of the plurality of security logs of the security analytics platform, and responsive to user input indicating approval of the user of the security analytics platform, generating the first data access group for the security analytics platform based on the first cluster of the plurality of clusters.
  2. 2 . The method of claim 1 , wherein the at least a portion of the key-value pairs of the plurality of security logs comprises at least one of: a vendor key-value pair; a product key-value pair; or a product type key-value pair.
  3. 3 . The method of claim 1 , wherein the at least a portion of the key-value pairs of the plurality of security logs comprises at least one of: a business unit key-value pair; or a geographic location key-value pair.
  4. 4 . The method of claim 1 , wherein obtaining the plurality of security logs from the security analytics platform comprises obtaining one or more event logs of the computing system.
  5. 5 . The method of claim 1 , further comprising obtaining a second data access group from the security analytics platform, wherein: the second data access group includes a data access group generated using input of the user of the security analytics platform; and the second data access group includes data indicating a second subset of users of the plurality of users of the security analytics platform.
  6. 6 . The method of claim 5 , wherein providing, to the user of the security analytics platform, the recommendation for the first data access group comprises: determining that a similarity metric indicates a dissimilarity regarding the first data access group and the second data access group above a threshold amount; and alerting the user of the security analytics platform of a data access leak.
  7. 7 . The method of claim 1 , further comprising performing a data access group size analysis on the first data access group.
  8. 8 . The method of claim 7 , wherein performing the data access group size analysis on the first data access group comprises: obtaining a directory service forest of the computing system; comparing a size of the first subset of the plurality of users of the security analytics platform to a size of a subset of the directory service forest; and responsive to a difference in the size of the first subset of the plurality of users and the size of the subset of the directory service forest being above a threshold difference, modifying the first subset of the plurality of users.
  9. 9 . The method of claim 7 , wherein performing the data access group size analysis on the first data access group comprises: obtaining identity and access management (IAM) policy data of the computing system; comparing a size of the first subset of the plurality of users of the security analytics platform to a size of a group of users of the IAM policy data; and responsive to a difference in the size of the first subset of the plurality of users and the size of the subset of the data access group of the IAM policy data being above a threshold difference, modifying the first subset of the plurality of users.
  10. 10 . A system to provide access group recommendations, comprising: a memory; and a processing device, coupled to the memory, configured to perform operations, comprising: obtaining a plurality of security logs from a security analytics platform, wherein: each security log of the plurality of security logs indicates an action occurring on a computing system, and each security log of the plurality of security log comprises a plurality of key-value pairs; and determining access rights to the plurality of security logs for a plurality of users of the security analytics platform, wherein the plurality of users include a first subset of the plurality of users having access to a first subset of the plurality of security logs, and wherein the determining comprises: generating a plurality of clusters of security logs based on at least a portion of the key-value pairs of the plurality of security logs, providing, to a user of the security analytics platform, a recommendation for a first data access group for the security analytics platform based on a first cluster of the plurality of clusters, wherein the first data access group comprises data indicating the first subset of the plurality of security logs of the security analytics platform and the first subset of the plurality of users to have access to the subset of the plurality of security logs of the security analytics platform, and responsive to user input indicating approval of the user of the security analytics platform, generating the first data access group for the security analytics platform based on the first cluster of the plurality of clusters.
  11. 11 . The system of claim 10 , wherein the at least a portion of the key-value pairs of the plurality of security logs comprises at least one of: a vendor key-value pair; a product key-value pair; or a product type key-value pair.
  12. 12 . The system of claim 10 , wherein the at least a portion of the key-value pairs of the plurality of security logs comprises at least one of: a business unit key-value pair; or a geographic location key-value pair.
  13. 13 . The system of claim 10 , wherein obtaining the plurality of security logs from the security analytics platform comprises obtaining one or more event logs of the computing system.
  14. 14 . The system of claim 10 , wherein the operations further comprise obtaining a second data access group from the security analytics platform, wherein: the second data access group includes a data access group generated using input of the user of the security analytics platform; and the second data access group includes data indicating a second subset of users of the plurality of users of the security analytics platform.
  15. 15 . The system of claim 14 , wherein the operation of providing, to the user of the security analytics platform, the recommendation for the first data access group comprises: determining that a similarity metric indicates a dissimilarity regarding the first data access group and the second data access group above a threshold amount; and alerting the user of the security analytics platform of a data access leak.
  16. 16 . The system of claim 10 , wherein the operations further comprise performing a data access group size analysis on the first data access group.
  17. 17 . A method to provide access group recommendations, comprising: obtaining a plurality of security logs from a security analytics platform, wherein: each security log of the plurality of security logs indicates an action occurring on a computing system, and each security log of the plurality of security logs comprises a plurality of key-value pairs; and determining access rights to the plurality of security logs for a plurality of users of the security analytics platform, wherein the plurality of users of the security analytics platform have access to a subset of the plurality of security logs, and wherein the determining comprises: obtaining a first data access group of the security analytics platform, selecting, based on the first data access group, the subset of the plurality of security logs of the security analytics platform, generating a plurality of clusters based on at least a portion of the key-value pairs of the subset of the plurality of security logs, and responsive to the selected subset of the plurality of security logs including one or more security logs belonging to different clusters that differ from a first cluster of the plurality of clusters, providing, to a user of the security analytics platform, a recommendation for a modification to the first data access group of the security analytics platform.
  18. 18 . The method of claim 17 , wherein the data access group comprises a data access group generated using user input to the security analytics platform.
  19. 19 . The method of claim 17 , further comprising, responsive to input from the user of the security analytics platform, generating a data access group for the security analytics platform based on the first data access group as modified by the recommendation.
  20. 20 . The method of claim 17 , wherein obtaining the plurality of security logs from the security analytics platform comprises obtaining one or more event logs of the computing system.

Description

TECHNICAL FIELD The instant specification generally relates to computing devices. More specifically, the instant specification relates to role-based access control recommendation systems. BACKGROUND A security analytics platform can ingest data from computing resources (e.g., a computing system) in order to detect and respond to security threats on those computing resources. The ingested data can include event logs from devices and applications of the computing resources, network traffic data, or other data generated by or provided by the computing resources. The security analytics platform can then analyze the data, for example, by identifying patterns or anomalies in the data that can indicate a security threat for the computing resources. SUMMARY Disclosed herein are systems and methods for role-based access control recommendations. One aspect of the disclosure includes a method. The method includes obtaining one or more security logs from a security analytics platform. Each security log of the one or more security logs can indicate an action occurring on a computing system. Each security log of the one or more security logs may include one or more key-value pairs. The method includes determining access rights to the one or more security logs for one or more users of the security analytics platform. The determining can include generating one or more clusters of security logs based on at least a portion of the key-value pairs of the one or more security logs. The determining can include providing, to a user of the security analytics platform, a recommendation for a first data access group for the security analytics platform based on a first cluster of the one or more clusters. The first data access group may include data indicating a subset of the one or more security logs of the security analytics platform and a first subset of the one or more users to have access to the subset of the one or more security logs of the security analytics platform. The determining can include, responsive to input from the user of the security analytics platform, generating the first data access group for the security analytics platform based on the first cluster of the one or more clusters. At least a portion of the key-value pairs of the one or more security logs may include a vendor key-value pair, a product key-value pair, a product type key-value pair, a business unit key-value pair, a geographic location key-value pair, or another type of key-value pair that can identify a first data access group. Obtaining the one or more security logs from the security analytics platform may include obtaining one or more event logs of the computing system. The method may further include obtaining a second data access group from the security analytics platform. The second data access group may include a data access group generated using input of the user of the security analytics platform. The second data access group may include data indicating a second subset of users of the one or more users of the security analytics platform. Providing, to the user of the security analytics platform, the recommendation for the first data access group may include determining that a similarity metric indicates a dissimilarity regarding the first data access group and the second data access group above a threshold amount and alerting the user of the security analytics platform of a data access leak. The method may further include performing a data access group size analysis on the first data access group. Performing the data access group size analysis on the first data access group may include obtaining a directory service forest of the computing system, comparing a size of the first subset of the one or more users of the security analytics platform to a size of a subset of the directory service forest, and responsive to the difference in the size of the first subset of the one or more users and the size of the subset of the directory service forest being above a threshold difference, modifying the first subset of the one or more users. Performing the data access group size analysis on the first data access group may include obtaining identity and access management (IAM) policy data of the computing system, comparing a size of the first subset of the one or more users of the security analytics platform to a size of a group of users of the IAM policy data, and responsive to the difference in the size of the first subset of the one or more users and the size of the subset of the data access group of the IAM policy data being above a threshold difference, modifying the first subset of the one or more users. Another aspect of the disclosure includes a system. The system includes a memory and a processing device coupled to the memory. The processing device is configured to perform operations. The operations include obtaining one or more security logs from a security analytics platform. Each security log of the one or more security logs can indicate an act