Search

US-12627696-B2 - Identity power scoring system for cloud environments

US12627696B2US 12627696 B2US12627696 B2US 12627696B2US-12627696-B2

Abstract

Systems and methods for providing an identity power scoring system for cloud environments. Various embodiments include defining a plurality of admin categories associated with a cloud environment; deriving a category power score of an identity for each of the plurality of admin categories; and calculating a global power score of the identity based on the power score for each of the plurality of admin categories. The scoring system helps identify and prioritize risk associated with specific identities, allowing more optimized methods of protection for information in the cloud-based system.

Inventors

  • Aharon Fridman

Assignees

  • ZSCALER, INC.

Dates

Publication Date
20260512
Application Date
20221116

Claims (20)

  1. 1 . A non-transitory computer-readable medium comprising instructions that, when executed, cause one or more processors of a multi-tenant, zero-trust cloud-based security system providing inline monitoring and dynamic security policy enforcement between users and cloud services to perform steps of: defining a plurality of admin categories for identities within a tenant cloud environment, wherein each admin category is defined by a list of one or more relevant cloud services and an associated entitlement schema comprising all possible action-resource pairs representing operational privileges specific to the tenant cloud environment; deriving a privilege-based category power score of an identity for each of the plurality of admin categories by expanding all cloud entitlements available to the identity within each admin category, wherein the entitlements comprise action-resource pairs defining specific operational permissions, and calculating a percentage representing the identity's assigned entitlements relative to all possible entitlements available in each respective admin category, wherein each category power score quantifies the extent of the identity's administrative control or privilege coverage within that admin category and is independent of risk, behavioral, or event data associated with the identity; and calculating and compiling at the cloud-based security system and responsive to real-time security policy enforcement conditions, a global power score of the identity based on weighted combination of the category power scores, wherein the global power score represents an aggregate measure of the identity's potential privilege impact across the tenant cloud environment, distinct from behavioral or risk-based scoring, and wherein the global power score dynamically and automatically adjusts zero-trust security policies governing the identity's cloud resource access in response to changes in calculated power scores.
  2. 2 . The non-transitory computer-readable medium of claim 1 , wherein the steps further comprise: assessing privilege-based risk associated with the cloud environment based on the global power score of the identity.
  3. 3 . The non-transitory computer-readable medium of claim 1 , wherein the identity is one of human or non-human based on the global power score.
  4. 4 . The non-transitory computer-readable medium of claim 1 , wherein the steps further comprise: utilizing the global power score as a token or parameter to provide custom rules or adaptive zero-trust access policies for the identity in the cloud environment.
  5. 5 . The non-transitory computer-readable medium of claim 1 , wherein the steps further comprise: assessing the severity of an incident involving the identity based on the global power score.
  6. 6 . The non-transitory computer-readable medium of claim 1 , wherein the category power score is based on a percentage of entitlements the identity has, in relation to all the possible entitlements in the cloud environment.
  7. 7 . The non-transitory computer-readable medium of claim 1 , wherein the category power score is based on a percentage of resources the identity has access to, in relation to all resources in the cloud environment.
  8. 8 . The non-transitory computer-readable medium of claim 1 , wherein each of the plurality of admin categories includes a plurality of cloud services, and the steps further comprise: deriving a category power score of an identity for each of the plurality of admin categories based on one or more service scores associated with each of the plurality of admin categories.
  9. 9 . The non-transitory computer-readable medium of claim 8 , wherein the category power scores are derived based on a weighted system, wherein each cloud service is assigned a weight based on importance.
  10. 10 . The non-transitory computer-readable medium of claim 1 , wherein a threshold is defined for any category power score which causes the identity to be considered an admin in that category.
  11. 11 . A method, implemented by a multi-tenant, zero-trust cloud-based security system providing inline monitoring and dynamic security policy enforcement between users and cloud services, the method comprising steps of: defining a plurality of admin categories for identities within a tenant cloud environment, wherein each admin category is defined by a list of one or more relevant cloud services and an associated entitlement schema comprising all possible action-resource pairs representing operational privileges specific to the tenant cloud environment; deriving a privilege-based category power score of an identity for each of the plurality of admin categories by expanding all cloud entitlements available to the identity within each admin category, wherein the entitlements comprise action-resource pairs defining specific operational permissions, and calculating a percentage representing the identity's assigned entitlements relative to all possible entitlements available in each respective admin category wherein each category power score quantifies the extent of the identity's administrative control or privilege coverage within that admin category and is independent of risk, behavioral, or event data associated with the identity; and calculating and compiling at the cloud-based security system and responsive to real-time security policy enforcement conditions, a global power score of the identity based on weighted combination of the category power scores, wherein the global power score represents an aggregate measure of the identity's potential privilege impact across the tenant cloud environment, distinct from behavioral or risk-based scoring, and wherein the global power score dynamically and automatically adjusts zero-trust security policies governing the identity's cloud resource access in response to changes in calculated power scores.
  12. 12 . The method of claim 11 , wherein the steps further comprise: assessing privilege-based risk associated with the cloud environment based on the global power score of the identity.
  13. 13 . The method of claim 11 , wherein the identity can be is one of human or non-human.
  14. 14 . The method of claim 11 , wherein the steps further comprise: utilizing the global power score as a token or parameter to provide custom rules or adaptive zero-trust access policies for the identity in the cloud environment.
  15. 15 . The method of claim 11 , wherein the steps further comprise: assessing the severity of an incident involving the identity based on the global power score.
  16. 16 . The method of claim 11 , wherein the category power score is based on a percentage of entitlements the identity has, in relation to all the possible entitlements in the cloud environment.
  17. 17 . The method of claim 11 , wherein the category power score is based on a percentage of resources the identity has access to, in relation to all resources in the cloud environment.
  18. 18 . The method of claim 11 , wherein each of the plurality of admin categories includes a plurality of cloud services, and the steps further comprise: deriving a category power score of an identity for each of the plurality of admin categories based on one or more service scores associated with each of the plurality of admin categories.
  19. 19 . The method of claim 18 , wherein the category power scores are derived based on a weighted system, wherein each cloud service is assigned a weight based on importance.
  20. 20 . The method of claim 11 , wherein a threshold is defined for any category power score which causes the identity to be considered an admin in that category.

Description

FIELD OF THE DISCLOSURE The present disclosure generally relates to computer networking systems and methods. More particularly, the present disclosure relates to systems and methods for an identity power scoring system for cloud environments. BACKGROUND OF THE DISCLOSURE With the advent of Bring Your Own Device (BYOD) and work from home technology, there has been an explosion of mobile devices in enterprises, more specifically, in enterprise networks. It is essential for enterprises to assess risk related to exposure of such devices and user accounts. Traditionally, enterprises deploy firewalls in their on-premises networks, but now as employees have started roaming and connecting to Wi-Fi hotspots and other insecure networks, there is an emerging need to protect employee's devices that have access to sensitive enterprise information. The current disclosure aims to address security gaps through an identity power scoring system to help identify and prioritize risk related to exposure of credentials, over privileges and authentication controls. Further, the traditional view of an enterprise network (i.e., corporate, private, industrial, operational, etc.) included a well-defined perimeter defended by various appliances (e.g., firewalls, intrusion prevention, advanced threat detection, etc.). In this traditional view, mobile users utilize a Virtual Private Network (VPN), etc. and have their traffic backhauled into the well-defined perimeter. This worked when mobile users represented a small fraction of the users, i.e., most users were within the well-defined perimeter. However, this is no longer the case—the definition of the workplace is no longer confined to within the well-defined perimeter, and with applications moving to the cloud, the perimeter has extended to the Internet. This results in an increased risk for the enterprise data residing on unsecured and unmanaged devices as well as the security risks in access to the Internet. Cloud-based security solutions have emerged, such as Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA), available from Zscaler, Inc., the applicant and assignee of the present application. ZPA is a cloud service that provides seamless, zero trust access to private applications running on the public cloud, within the data center, within an enterprise network, etc. As described herein, ZPA is referred to as zero trust access to private applications or simply a zero trust access service. Here, applications are never exposed to the Internet, making them completely invisible to unauthorized users. The service enables the applications to connect to users via inside-out connectivity versus extending the network to them. Users are never placed on the network. This Zero Trust Network Access (ZTNA) approach supports both managed and unmanaged devices and any private application (not just web apps). BRIEF SUMMARY OF THE DISCLOSURE The present disclosure relates to systems and methods for an identity power scoring system that assigns each identity in a cloud environment or cloud-based system, human or non-human, a score of 0-100, signifying how privileged the identity is in the context of a cloud account. The scoring system helps identify and prioritize risk associated with specific identities, allowing more optimized methods of protection for information in the cloud-based system. In various embodiments, the present disclosure includes a method with steps, a mobile device configured to implement the steps, and a non-transitory computer-readable medium storing computer-executable instructions for causing performance of the steps on a mobile device. The steps include defining a plurality of admin categories associated with a cloud environment; deriving a category power score of an identity for each of the plurality of admin categories; and calculating a global power score of the identity based on the power score for each of the plurality of admin categories. The steps further include assessing risk associated with the cloud environment based on the global power score of the identity. The identity can be one of human or non-human. The steps can further include utilizing the global power score to provide custom rules for the identity in the cloud environment. The steps can further include assessing the severity of an incident involving the identity based on the global power score. The category power score can be based on a percentage of entitlements the identity has, in relation to all the possible entitlements in the cloud environment. The category power score can be further based on a percentage of resources the identity has access to, in relation to all resources in the cloud environment. Each of the plurality of admin categories can include a plurality of cloud services, wherein the steps can further include deriving a category power score of an identity for each of the plurality of admin categories based on one or more service scores associated with each of the plurality of a