Search

US-20260129049-A1 - RIGHTSIZING PERMISSION SETS IN A CLOUD-BASED 5G NETWORK

US20260129049A1US 20260129049 A1US20260129049 A1US 20260129049A1US-20260129049-A1

Abstract

Systems, methods, and devices manage permissions. An example process includes the steps of identifying a first list of excess permissions associated with a first user account, determining a first account drift of the first user account based on the first list of excess permissions, and identifying a second list of excess permissions associated with a second user account. A second account drift of the second user account is determined based on the second list of excess permissions. A group drift is determined based on the first account drift and the second account drift. A first new configuration of permissions is identified for the first user account and the second user account in response to the group drift.

Inventors

  • Brian Peletz

Assignees

  • Boost SubscriberCo L.L.C.

Dates

Publication Date
20260507
Application Date
20260105

Claims (20)

  1. 1 . An automated process for managing permissions, comprising: identifying a first list of excess permissions associated with a first user account; determining a first account drift of the first user account based on the first list of excess permissions; identifying a second list of excess permissions associated with a second user account; determining a second account drift of the second user account based on the second list of excess permissions; determining a group drift based on the first account drift and the second account drift; and identifying a first new configuration of permissions for the first user account and the second user account in response to the group drift.
  2. 2 . The automated process of claim 1 , further comprising implementing the first new configuration to reduce the group drift.
  3. 3 . The automated process of claim 1 , wherein the first new configuration removes a permission granted to the first user account and to the second user account.
  4. 4 . The automated process of claim 3 , wherein the permission removed from the first user account controls access to a virtual distributed unit.
  5. 5 . The automated process of claim 3 , wherein the group drift is reduced in response to removing the permission from the first user account and from the second user account.
  6. 6 . The automated process of claim 1 , further comprising scoring a consistency of a group based on the first account drift and the second account drift, wherein the group includes the first user account and the second user account.
  7. 7 . The automated process of claim 1 , further comprising scoring a consistency of a group based on the first list of excess permissions associated with the first user account, and based on the second list of excess permissions associated with the second user account.
  8. 8 . The automated process of claim 7 , further comprising identifying a second new configuration of permissions in response to the scored consistency of the group.
  9. 9 . The automated process of claim 8 , wherein the second new configuration of permissions omits the first user account from the group.
  10. 10 . The automated process of claim 8 , wherein the second new configuration of permissions includes a new group, the new group including the first user account and the second user account.
  11. 11 . An automated process for managing permissions, comprising: identifying excess permissions of a first user account in a group; scoring a first account drift of the first user account based on the excess permissions; scoring a second account drift of a second user account in the group; scoring a group consistency based on the first account drift and the second account drift; identifying a new configuration of permissions for the first user account and the second user account to increase the group consistency, wherein the new configuration removes a permission from accounts in the group; and implementing the new configuration, wherein the group consistency increases in response to removing the permission from the group including from the first user account and from the second user account.
  12. 12 . The automated process of claim 11 , further comprising creating a new group including the first user account and the second user account to implement the new configuration.
  13. 13 . The automated process of claim 12 , wherein removing the permission from the first user account and the second user account comprises removing the first user account and the second user account from the group.
  14. 14 . The automated process of claim 13 , wherein removing the first user account and the second user account from the group revokes access to a virtual distributed unit.
  15. 15 . The automated process of claim 11 , further comprising scoring a group drift of the group.
  16. 16 . The automated process of claim 15 , further comprising identifying the new configuration in response to the group drift.
  17. 17 . The automated process of claim 15 , wherein the group drift of the group is based on the first account drift and the second account drift.
  18. 18 . The automated process of claim 15 , wherein the group drift of the group is based on the excess permissions.
  19. 19 . A system for managing permissions, comprising: a permission repository running on a cloud-based network; a permission manager running on the cloud-based network and in communication with the permission repository, wherein the permission manager scores a first account drift based of a first user account based on unused permissions associated with a first user account, wherein the permission manager scores a second account drift of a second user account, wherein the permission manager scores a group consistency using the first account drift and the second account drift, and wherein the permission manager revokes a permission from the first user account and the second user account to increase the group consistency; and an access control system configured to read the permission from the permission repository and deny access by the first user account and by the second user account to a virtual distributed unit in response to the permission being revoked.
  20. 20 . The system for managing permissions of claim 19 , wherein the permission manager generates a new configuration of permissions including a new group with the first user account and the second user account being members of the new group in response to the group consistency.

Description

CROSS REFERENCE TO RELATED APPLICATIONS This application claims priority to U.S. Nonprovisional Patent Application No. 18/176,936 filed on March 1, 2023 and entitled “Rightsizing Permission Sets in a Cloud-Based 5G Network,” which claims the benefit of U.S. Provisional Patent Application No. 63/331,149, filed on April 14, 2022 and entitled “Rightsizing Permission Sets,” both of which are incorporated herein by reference. TECHNICAL FIELD The following discussion generally relates to computer security, and in particular to maintaining permission groups and user permissions. BACKGROUND Wireless networks that transport digital data and telephone calls are becoming increasingly sophisticated. Currently, fifth generation (“5G”) broadband cellular networks are being deployed around the world. These 5G networks use emerging technologies to support data and voice communications with millions, if not billions, of mobile phones, computers and other devices. 5G technologies are capable of supplying much greater bandwidths than was previously available, so it is likely that the widespread deployment of 5G networks could radically expand the number of services available to customers. This expansion will accompany an increased need for cybersecurity. The principal of least privilege is a security approach in which a user has only the minimum level of access required to function in their role. Applying least privilege access tends to restrict user accounts from accessing or modifying data that they should not, whether intentionally or accidentally. Least privilege can be difficult to apply when user groups grow and shrink regularly, or when users come on and off the system regularly. Access permissions also tend to drift over time as user roles within a company change, or as access used by policy or process implementations deviate from planned access. Examples of organizations that might struggle to implement least privilege include large organizations with high levels of frictional turnover, organizations that scale user groups up and down in size, organizations that dynamically access user accounts, or organizations that manually apply access controls. Cloud service providers and other security systems, for example, offer security suites that can assist certain users in applying least privilege under ideal conditions. However, existing tools may be insufficient for users with complex environments using atypical networking techniques such as cloud-based 5G telephone networks. SUMMARY Systems, methods, and devices tend to implement least privilege access by assessing and pruning access permissions available to user accounts. Some embodiments of an automated process for managing permissions include the steps of compiling a first list of permissions used by a first user account, compiling a second list of permissions granted to the first user account, subtracting the first list of permissions from the second list of permissions to generate a third list of excess permissions associated with the first user account. The process determines a first account drift of the first user account based on the third list of excess permissions. The automated process further includes the steps of compiling a fourth list of permissions used by a second user account, compiling a fifth list of permissions granted to the second user account, and subtracting the fourth list of permissions from the fifth list of permissions to generate a sixth list of excess permissions associated with the second user account. A second account drift of the second user account is determined based on the sixth list of excess permissions. A group drift is determined based on the first account drift and the second account drift. A first new configuration of permissions for the first user account and the second user account is generated in response to the group drift. Various embodiments implement the first new configuration to reduce the group drift. The first new configuration removes a permission from the second list of permission granted to the first user account and from the fifth list of permissions granted to the second user account. The permission removed from the second list and the fifth list controls access to a virtual distributed unit. The group drift is reduced in response to removing the permission from the second list of permission granted to the first user account, and in response to removing the fifth list of permissions granted to the second user account. A consistency of a group is scored. The group comprises the first user account and the second user account, and the consistency is based on the first account drift and the second account drift. Consistency of a group is scored based on the third list of excess permissions associated with the first user account and based on the sixth list of excess permissions associated with the second user account. A second new configuration of permissions is identified in response to the scored consistency of the