CLAIM OF PRIORITY

This application claims priority under 35 U.S.C. §119(e) to provisional U.S.

Patent Application 62/385,387, filed on September 9, 2016, entitled: "Architecture for Access Management," and U.S. Serial No. 15/594,786, filed May 15, 2017, entitled: "Architecture for Access Management," the entire contents of both are hereby

incorporated by reference.

BACKGROUND

This description relates to operation of networks for dissemination of information.

Access control systems commonly employ access cards that include

corresponding embedded electronic credentials that are read by a corresponding card reader. For a given access card, a read credential is typically compared to an access control list that is stored in an access control system. If the credential matches to an approved entry in the access control list, a cardholder in possession of the access card is allowed certain privileges such as, for example, access to a locked door. Such systems are widely deployed in commercial businesses.

It is common for computer systems to gather information, such as proprietary data on individuals other entities such as businesses etc., as well on operational data from other systems. One type of information is proprietary data such as "personally identifiable information" commonly referred to as "PII." PII is information of a sensitive, personal nature that is generally associated with individuals and is often protected by privacy laws in many jurisdictions. PII is information that can identify or contact or locate a single person or to identify an individual in context. Examples of PII include name, social security number, date and place of birth, mother's maiden name, biometric records and information that is linkable to an individual, such as medical, educational, financial, and employment information, as well as a user's device IP address used in a communication service broker.

Another type of information is proprietary data such as Machine Identifiable Information or "Mil," such as in the context of the "Internet of Things." That is, other information that is collected includes operational information such as information used to control access control systems, intrusion detection systems and integrated security/alarm systems. For different reasons each of these types of information may have a sensitive nature that should limit the ubiquitous retention of such information in disparate systems.

Considering PII, modern information technology and the Internet have made it easier to collect PII and Mil through various mechanisms leading to various problems such as aiding of criminal acts, identity theft, etc. For example, there have been numerous reports of security breaches of commercial, governmental and private systems having databases storing the PII information of many thousands or millions of individuals.

SUMMARY

According to an aspect, a system a card reader system including a processor and memory, the card reader system configured to execute a security application that configures the card reader system to receive an embedded electronic credential from an access badge, with the embedded electronic credential carried by the access badge and being associated with a user, determine whether the credential indicates an authorized access, generate a message according to a result of the determination, and send the message to a distributed ledger that logs the result in the distributed ledger.

Aspects also include systems and methods. Additional features of the computer program product, systems and methods include other features disclosed herein.

One or more of the above aspects may provide one or more of the following advantages.

The new architecture employs distributed ledger technologies that allow an access reader to validate information (a token) presented via the identity "card", which token is relevant to the identity of the card holder. Because the information is stored in a distributed ledger format (i.e., copies of the information to be validated are stored in numerous locations), the access system has a higher level of security since it would be extremely difficult to hack every instance of that information. Moreover, if a hack of the system was attempted, and the attempt to hack was unsuccessful with respect to even one instance of the validation information, the validation would fail and the person's identity would not be validated, thus maintaining secure access control.

The details of one or more embodiments of the invention are set forth in the accompanying drawings and the description below. Other features, objects, and advantages of the invention is apparent from the description and drawings, and from the claims.

DESCRIPTION OF DRAWINGS

FIG. 1 is a schematic diagram of an exemplary system for securing PII information.

FIG. 2 is a block diagram of a distributed ledger.

FIG. 3 is a block diagram of a broker system.

FIG. 4 is a block diagram of a facility with access control.

FIG. 4A is a blown up view of a portion of FIG. 4.

FIG. 5 is a block diagram of an example of an access control system.

FIG. 6 is a block diagram of an access system using an access card.

FIG. 7 is a flow diagram of an access process for the system of FIG. 6.

FIG. 8 is a block diagram of an exemplary device/ system.

DETAILED DESCRIPTION

Described herein is a set of techniques that provide a solution using a distributed ledger optionally with a private service broker for dissemination between two or more electronic devices of information such as credential (as well as other confidential information such as PII ), which dissemination occurs in a controlled, secure and confidential manner. The system described uses a combination of an access badge with an embedded credential, which access badge is carried by a user, an access card reader associated with a security system that has a security system wallet, a distributed ledger that manages proxies for PII (as well as other confidential information), along with a service broker system that securely manages data transmissions and verifications of the data without actually having the security system wallet directly access the distributed ledger. In other implementations the service broker is not used and the security system wallet directly accesses the distributed ledger.

Referring now to FIG. 1, an exemplary distributed network system 10 for access control is shown. In the system 10, several approaches are feasible as disclosed in the incorporated by reference provisional application. One such approach discussed in detail in below uses access badges 12a, 12b, each with embedded credentials 13a, 13b in conjunction with a distributed ledger 14 back-end that replaces the typical centralized database (not shown). The access badges 12a, 12b are used with access card readers 15, in which a user will swipe or otherwise allow the card readers to read the credential on the user's badge. In some implementations, the access card reader 15 makes

determinations regarding access. The access badge/distributed ledger approach provides enhanced user experience, security, compliance and so forth, as discussed below. The access badge is a physical security badge. Various form factors can be used as an access badge.

In the discussion below, the badges 12a, 12b hold users' credentials 13a, 13b that are needed for access to a facility using system 10. Also, in the discussion below, the focus will be on badge 12a and credential 13a.

The system 10 also includes a distributed ledger system 14. The distributed ledger system 14 is a sequential transaction database. An example of a sequential transaction database is the so-called "Blockchain" that operates with cryptocurrencies, such as "bitcoin"® (bitcoin project.org). The distributed ledger 14 rather than being dedicated to managing cryptocurrencies, manages PII transactional records and serves as the backend for a distributed access system. The distributed ledger system 14 interacts with a security system, e.g., a third party system 18 to allow access to users to otherwise locked facilities. While sharing some similarities to the Blockchain as well as other known types of sequential transaction databases, the distributed ledger 14 has some significant differences.

The distributed ledger 14 can have a structure as set out in FIG. 2. A service broker system 16 is included in some implementations of the distributed ledger 14. In some implementations, the service broker 16 interfaces between the card reader 15 and the distributed ledger 14. In other implementations, the service broker system 16 is not needed and the card reader 15 will interface directly with the distributed ledger 15.

The system 10 also includes a third party system 18. The third party system 18 can be any electronic system (or device) and is the system/device that seeks some aspect of the PII or other confidential information of a user that can be obtained from the security badge 12a, associated with the user. In the examples discussed below the third party systems are or are aspects of access systems, both physical access as well as logical access. By physical access is meant access to physical locations, e.g., facilities, whereas logical access relates to access to logical structures such as electronic devices or applications/data accessible via electronic devices. The examples discussed below are in relation to physical access control systems. In the processes discussed below, some or all of the aforementioned badge 12a, distributed ledger 14, optionally service broker 16 and third party access system 18 are used.

Referring now to FIG. 2, the distributed ledger system 14 is shown. As mentioned, the distributed ledger system 14 is a sequential transaction database. The distributed ledger system 14 thus includes distributed databases 32a-32n that are typically existing in the "Cloud." The distributed database comprise storage devices 34a-34n that are attached to different interconnected computers 36a-36n. The distributed databases are controlled by a distributed database management system that controls storage of data over a network 38 of the interconnected computers and execute corresponding replication and duplication processes. Replication software (not shown) detects changes in the distributed database contents and once the changes have been detected, replicates the changes to have all the databases the same. Duplication software (not shown) identifies one database (not shown) as a master and then duplicates that database across other databases. Replication and duplication keep the data current in all distributed storage locations.

The distributed databases 32a-32n that form the distributed ledger system 14 each store encrypted information records. An exemplary record 40 is shown below. The record 40 is stored in each of the distributed databases 32a-32n that form the distributed ledger system 14, which stores the record 40 in an encrypted form in the distributed ledger system 14. Record 40 has a structure that includes an attribute type, a hashed and encrypted value of the attribute, an attester's digital signature of the hashed and encrypted value and the attester's address.

An exemplary record format is set out in table below, where the attribute could be something as simple as the credential 13a.

Referring now to FIG. 3, the broker system 16 is shown. The broker system 16 includes a computer system and executes software that handshakes between the user system 12 and a vetting agent or attester. Rather, than the third party device, e.g., access readers 15a, 15b (or more generally the third party system 18) accessing the distributed ledger 14 directly, all requests for transactions between the third party device and the requesting device occur through the broker system 16. In other embodiments, the third party device, e.g., access readers 15a, 15b (or more generally the third party system 18) directly access the distributed ledger system 14.

As shown in FIG. 3, the broker system 16 can be a compilation of many such broker systems 16a-16n. Each of the broker systems 16a-16n can comprise computer systems and associated distributed databases. The broker systems 16a-16n are distributed over a network of servers that act together to manage the distributed ledger 14. All attribute hashed values, attester information, etc. are stored in the distributed ledger 14 and as the flow diagram below will show the broker systems 16a-n are configured to access the distributed ledger 14 to obtain and validate such information.

Note that in the context of a private distributed ledger environment, for an enterprise, it may be desirable to not have a query sent to the attester database for each transaction. Rather, a business rule could be established that once a validation event has occurred, then it is good for a period of time, until the attester database is updated etc., so as to reduce latency.

Referring now to FIGS. 4, 4A, an implementation of an access control system is shown. A facility 110 with access control in this illustrative example, as having two secured rooms 112a and 112b and a single external entryway 112c. Room 112a has a doorway 113a and has associated therein an access controller 116a and an ingress card reader 118a. Room 112b has a doorway 113b and has associated therein an access controller 116b and two card readers, an ingress card reader 118b and an egress card reader 118b' . The external entryway 12c has associated therewith an access controller 116c and two card readers, an ingress card reader 118c and an egress card reader 118c'. A detailed view of the external doorway is shown in FIG. 9A with exemplary door locks 122a, 122b controlled by the access controller 116c.

Referring now to FIG. 5, access control system 111 for a typically facility 110 includes a plurality of access controllers generally 116. Each of the access controllers 116 can have designated master controllers (not shown). Conventional techniques to set up and associate these controllers with a security system can be used. During installation of an access control system, the access control system is configured by a technician according to operational requirements of the facility 110. The system also includes a gateway 137 that is coupled to the access controllers, e.g., via master controllers 116a- 16c and a LAN, router, modem, to access the Internet and a firewall, as illustrated, and a server 139 that is coupled to the gateway 137. This is but an illustrative example.

Referring to FIG. 6, a system 150, such as a card reader, includes a processor 152 and memory 154 and a network interface card 153 (NIC) in communication with network infrastructure, e.g., a router, web server, etc., to access the distributed ledger 14. The system 150, i.e., card reader 150, is used in conjunction with a device 156 that includes an embedded electronic credential 158 (e.g., an access badge credential 13a) that is associated with a user. The card reader 150 executes a security application 160 that is configured to receive the credential 158 from the device 156 and determine whether the credential 158 indicates an authorized access. In FIG. 6, the card reader 150 executing the security application 160, is further configured to receive credential information from the distributed ledger 14 and to send transaction records to the distributed ledger 14.

Referring now to FIG. 7, in one implementation, a user in possession of an access badge (e.g., 12a) that includes the embedded electronic credential 158, e.g., credential 13a, swipes, or otherwise has the badge accessed by the card reader 150. The credential embedded in the badge is read 170 by the card reader 150 in a generally conventional manner.

In one implementation, the processor 152 executing the security application 156 residing in memory 154 accesses 172 the distributed ledger 14 to obtain from the distributed ledger a record corresponding to user's credential. The card reader 150 executing the security application 160 determines or verifies 174 whether the credential 158 that is received from the badge indicates an authorized access (or other action). The card reader 150 executing the security application 160 sends a request to the distributed ledger and receives credential information, if any is found, from the distributed ledger 14. Found credential information is sent from the distributed ledger 14 to the card reader.

Verifying 174 by the card reader 150 involves the card reader determining from the record received from the distributed ledger 14 some item of information regarding the credential (e.g., whether the credential is still valid and if so what access privileges are associated with the credential, etc.) In other implementations, either the system, the card reader, the servers (or both the card readers and servers) analyze the credential against stored access rules or against other criteria.

In either case, the card reader 150 generates from the data received from the distributed ledger 14, a result. The reader generates a message according to the result. Thus, if the result is to allow access, the reader generated message is a control message that grants 176a access, e.g., unlocks an electronic lock on a door, etc., e.g., the door lock of FIG. 9.

If the result is to deny access 176b then another action can occur such as a retry action that is communicated to the user or an action that is not discernible to the user, but which denies access.

With either result (allowing access or denying access) the card reader sends a corresponding transaction message to the distributed ledger 14 that logs the result in the distributed ledger 14. Also, various other access control decisions can be made based on the result.

The distributed ledger system stores, among other data, records of personally identifiable information, as well as, access transactions. In addition, to the storage of records of PII, the distributed ledger also include the storage hashes of those records could be stored instead of or in addition to those records. The distributed ledger record could record when access was denied or only when it was successful or could record all transactions whether access was denied or successful.

Referring now to FIG. 8, components of system/devices are shown. Memory stores program instructions and data used by the processor. The memory may be a suitable combination of random access memory and read-only memory, and may host suitable program instructions (e.g. firmware or operating software), and configuration and operating data and may be organized as a file system or otherwise. The program instructions stored in the memory may further store software components allowing network communications and establishment of connections to the data network. The software components may, for example, include an internet protocol (IP) stack, as well as driver components for the various interfaces. Other software components suitable for establishing a connection and communicating across network will be apparent to those of ordinary skill.

Servers are associated with an IP address and port(s) by which it communicates with user devices. The server address may be static, and thus always identify a particular one of monitoring server to the intrusion detection panels. Alternatively, dynamic addresses could be used, and associated with static domain names, resolved through a domain name service. The network interface card interfaces with the network to receive incoming signals, and may for example take the form of an Ethernet network interface card (NIC). The servers may be computers, thin-clients, or the like, to which received data representative of an alarm event is passed for handling by human operators. The monitoring station may further include, or have access to, a subscriber database that includes a database under control of a database engine. The database may contain entries corresponding to the various subscriber devices/processes to panels like the panel that are serviced by the monitoring station.

All or part of the processes described herein and their various modifications (hereinafter referred to as "the processes") can be implemented, at least in part, via a computer program product, i.e., a computer program tangibly embodied in one or more tangible, physical hardware storage devices that are computer and/or machine-readable storage devices for execution by, or to control the operation of, data processing apparatus, e.g., a programmable processor, a computer, or multiple computers. A computer program can be written in any form of programming language, including compiled or interpreted languages, and it can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing

environment. A computer program can be deployed to be executed on one computer or on multiple computers at one site or distributed across multiple sites and interconnected by a network.

Processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer. Generally, a processor will receive instructions and data from a read-only storage area or a random access storage area or both. Elements of a computer (including a server) include one or more processors for executing instructions and one or more storage area devices for storing instructions and data. Generally, a computer will also include, or be operatively coupled to receive data from, or transfer data to, or both, one or more machine-readable storage media, such as mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks.

Tangible, physical hardware storage devices that are suitable for embodying computer program instructions and data include all forms of non-volatile storage, including by way of example, semiconductor storage area devices, e.g., EPROM, EEPROM, and flash storage area devices; magnetic disks, e.g., internal hard disks or removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks and volatile computer memory, e.g., RAM such as static and dynamic RAM, as well as erasable memory, e.g., flash memory.

In addition, the logic flows depicted in the figures do not require the particular order shown, or sequential order, to achieve desirable results. In addition, other actions may be provided, or actions may be eliminated, from the described flows, and other components may be added to, or removed from, the described systems. Likewise, actions depicted in the figures may be performed by different entities or consolidated.

Elements of different embodiments described herein may be combined to form other embodiments not specifically set forth above. Elements may be left out of the processes, computer programs, Web pages, etc. described herein without adversely affecting their operation. Furthermore, various separate elements may be combined into one or more individual elements to perform the functions described herein.

Other implementations not specifically described herein are also within the scope of the following claims.