Search

US-20260129022-A1 - GRANULAR SECURITY SEGMENTATION FOR COMPUTING ASSETS

US20260129022A1US 20260129022 A1US20260129022 A1US 20260129022A1US-20260129022-A1

Abstract

A system comprises: a memory; processors coupled to the memory and configured to perform: obtaining first identifying information of a first data packet rejected by a gateway device, the first identifying information indicating a sender computing asset and a receiver computing asset; mapping the first identifying information to first entity information including a first list of key-value pairs for the sender computing asset and a second list of key-value pairs for the receiver computing asset, based on a hierarchy of entities and a hierarchy of computing assets; identifying one or more permission rules applicable to the first entity information, each permission rule indicating that a specific source computing asset associated with a specific source entity can or cannot communicate with a specific target computing asset associated with a specific target entity; based on the one or more permission rules, transmitting one or more packet filter rules to the gateway device.

Inventors

  • Nicholas James Lange
  • Song Cong Siao

Assignees

  • MORGAN STANLEY SERVICES GROUP INC.

Dates

Publication Date
20260507
Application Date
20250421

Claims (20)

  1. 1 . A system for dynamically managing network traffic with granular security zones, comprising: a memory; one or more processors coupled to the memory and configured to perform: obtaining first identifying information of a first data packet rejected by a gateway device, the first identifying information indicating a sender computing asset and a receiver computing asset; mapping the first identifying information to first entity information including a first list of key-value pairs for the sender computing asset and a second list of key-value pairs for the receiver computing asset, based on a hierarchy of entities and a hierarchy of computing assets; identifying one or more permission rules applicable to the first entity information, each permission rule indicating that a specific source computing asset associated with a specific source entity can or cannot communicate with a specific target computing asset associated with a specific target entity; based on the one or more permission rules, transmitting one or more revised packet filter rules to the gateway device.
  2. 2 . The system of claim 1 , the mapping being further based on a plurality of relationships between the hierarchy of entities and the hierarchy of computing assets, the plurality of relationships including ownership, leasing, or access.
  3. 3 . The system of claim 1 , the mapping comprising determining whether a value of a key-value pair of the first list of key-value pairs represents a trait or a member of an entity in the hierarchy of entities or of a computing asset in the hierarchy of computing assets.
  4. 4 . The system of claim 1 , the transmitting comprising extracting information related to computing assets from a permission rule of the one or more permission rules.
  5. 5 . The system of claim 1 , the hierarchy of computing assets including one or more computing applications running on one or more computer devices, the first identifying information including a first address of a sender device and a first port associated with the sender device, the mapping comprising matching the first port with information related to the one or more computing applications.
  6. 6 . The system of claim 1 , each permission rule being associated with a priority of a hierarchy of priorities, the one or more processors further configured to perform: applying the one or more permission rules to the first entity information based on the associated one or more priorities; creating the one or more revised packet filter rules based on the applying.
  7. 7 . The system of claim 1 , the one or more processors further configured to perform: receiving second identifying information of a second data packet rejected by the gateway device; mapping the second identifying information to second entity information; determining that no permission rule is applicable to the second entity information; creating a new permission rule based on a user input or based on data packets previously received by the gateway device.
  8. 8 . The system of claim 1 , the one or more processors further configured to perform: tracking a statistic related to data packets rejected by the gateway device that are associated with a specific pair of sender computing asset and receiver computing asset; determining that the statistic exceeds a predetermined threshold; creating the one or more revised packet filter rules for the specific pair.
  9. 9 . The system of claim 1 , the obtaining comprising: receiving the first data packet including the first identifying information; comparing the first identifying information to a first packet filter rule of one or more packet filter rules to produce a comparison outcome; and based on the comparison outcome, blocking the first data packet from reaching the receiver computing asset.
  10. 10 . The system of claim 9 , the one or more processors further configured to perform: receiving a second data packet including second identifying information indicating the sender computing asset and the receiver computing asset; comparing the second identifying information to a revised packet filter rule of the one or more revised packet filter rules to produce a second comparison outcome; and based on the second comparison outcome, forwarding the second data packet to the receiver computing asset.
  11. 11 . A method of dynamically managing network traffic with granular security zones, comprising: obtaining first identifying information of a first data packet rejected by a gateway device, the first identifying information indicating a sender computing asset and a receiver computing asset; mapping the first identifying information to first entity information including a first list of key-value pairs for the sender computing asset and a second list of key-value pairs for the receiver computing asset, based on a hierarchy of entities and a hierarchy of computing assets; identifying one or more permission rules applicable to the first entity information, each permission rule indicating that a specific source computing asset associated with a specific source entity can or cannot communicate with a specific target computing asset associated with a specific target entity; based on the one or more permission rules, transmitting one or more revised packet filter rules to the gateway device, wherein the method is performed by one or more computers.
  12. 12 . The method of claim 11 , the mapping being further based on a plurality of relationships between the hierarchy of entities and the hierarchy of computing assets, the plurality of relationships including ownership, leasing, or access.
  13. 13 . The method of claim 11 , the mapping comprising determining whether a value of a key-value pair of the first list of key-value pairs represents a trait or a member of an entity in the hierarchy of entities or of a computing asset in the hierarchy of computing assets.
  14. 14 . The method of claim 11 , the transmitting comprising extracting information related to computing assets from a permission rule of the one or more permission rules.
  15. 15 . The method of claim 11 , the hierarchy of computing assets including one or more computing applications running on one or more computer devices, the first identifying information including a first address of a sender device and a first port associated with the sender device, the mapping comprising matching the first port with information related to the one or more computing applications.
  16. 16 . The method of claim 11 , each permission rule being associated with a priority of a hierarchy of priorities, the method further comprising: applying the one or more permission rules to the first entity information based on the associated one or more priorities; creating the one or more revised packet filter rules based on the applying.
  17. 17 . The method of claim 11 , further comprising: receiving second identifying information of a second data packet rejected by the gateway device; mapping the second identifying information to second entity information; determining that no permission rule is applicable to the second entity information; creating a new permission rule based on a user input or based on data packets previously received by the gateway device.
  18. 18 . The method of claim 11 , further comprising: tracking a statistic related to data packets rejected by the gateway device that are associated with a specific pair of sender computing asset and receiver computing asset; determining that the statistic exceeds a predetermined threshold; creating the one or more revised packet filter rules for the specific pair.
  19. 19 . The method of claim 11 , the obtaining comprising: receiving the first data packet including the first identifying information; comparing the first identifying information to a first packet filter rule of one or more packet filter rules to produce a comparison outcome; and based on the comparison outcome, blocking the first data packet from reaching the receiver computing asset.
  20. 20 . The method of claim 19 , further comprising: receiving a second data packet including second identifying information indicating the sender computing asset and the receiver computing asset; comparing the second identifying information to a revised packet filter rule of the one or more revised packet filter rules to produce a second comparison outcome; and based on the second comparison outcome, forwarding the second data packet to the receiver computing asset.

Description

RELATED APPLICATIONS This application claims the benefit under 35 U.S.C. § 120 as a continuation of U.S. patent application Ser. No. 18/938,972 , filed on Nov. 6, 2024, the entire contents of which are hereby incorporated by reference for all purposes as if fully set forth herein. Applicant hereby rescinds any disclaimer of claim scope in the parent application or the prosecution history thereof and advises the USPTO that the claims in this application may be broader than any claim in the parent application. TECHNICAL FIELD The present disclosure relates to dynamic real-time network connectivity management, and more particularly to control of network traffic based on dynamic changes in relationships with entities and other properties of computing assets. BACKGROUND Today, firewalls exist as software modules which act as an initial messaging filter when a computing asset, such as a computer device, attempts to send a data packet through a computing network. Generally, by examining the address of the intended recipient asset associated with the data packet, and the address of the sender, the firewall either blocks the message from passing through to the network, or allows the message to traverse the network to the intended recipient computing asset, such as another computer device. As the firewall typically acts as an initial filter, the firewall implements simple rules that can be checked with a minimum of processing power, in order to maximize the amount of traffic that can be checked. Consequently, the firewall generally does not check the contents of the data packet, which may be encrypted and opaque to the firewall. Further, the firewall does not consider or have access to more complex relationship definitions between a source asset and a target asset, in order to inform the decision to block or allow a particular data packet. For example, conventional firewalls maintain a list of sets of source and target addresses and ports within a computer network which are permitted or disallowed to communicate with one another together with related priority rules. When a data packet arrives, the firewall seeks out the highest priority rule that includes both the source asset's address and the target asset's address, and then either allows or blocks the data packet based upon that rule. However, at institutions with a large number of computing assets, such as computer devices, databases, and web servers, where access control of the computing assets can be determined by various, frequently changing properties of these computing assets, the conventional approach is inadequate. Therefore, it would be helpful to supplement the functionality of firewalls in order to improve management of network connectivity and allow granular security segmentation. SUMMARY The appended claims may serve as a summary of the invention. BRIEF DESCRIPTION OF THE DRAWINGS Example embodiments will now be described by way of non-limiting example with reference to the accompanying drawings, in which: FIG. 1 illustrates an example networked system including an exemplar access management system in which various embodiments may be practiced. FIG. 2 illustrates a relational diagram depicting several assets, a firewall, and several engines implementing portions of an exemplar access management system. FIG. 3A illustrates a flowchart depicting an exemplar protocol for processing data packets and updating a firewall. FIG. 3B illustrates an example tabular set of records in the asset hierarchy system, and an example tabular set of records returned from the enrichment engine. FIG. 3C illustrates an example tabular set of records in the hierarchy permission system, and an example tabular set of records returned from the permissioning engine. FIG. 3D illustrates an example tabular set of records created by the connectivity engine based on the records from the enrichment engine and the permissioning engine, and an example packet filter rule to be sent to the firewall in the gateway device. FIG. 4A illustrates a time series flow of a data packet being rejected by a firewall, an exemplar access management system reviewing the rejection record, ascertaining a new packet filter rule is required, and a subsequent data packet being allowed by the firewall. FIG. 4B illustrates a time series flow of a data packet being rejected by a firewall, an exemplar access management system reviewing the rejection record, ascertaining a new packet filter rule is required, and a subsequent data packet also being rejected by the firewall. FIG. 5 illustrates an example process of dynamically managing network traffic with granular security zones performed by the access management system. FIG. 6 illustrates a computer system upon which various embodiments may be implemented. DETAILED DESCRIPTION OF CERTAIN EMBODIMENTS In the following description, for the purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the example emb