US Patent 9769209 Identity security and containment based on detected threat events

An alert source issues security alerts to an identity provider, which acts as a gatekeeper to a secure resource. Each security alert is associated with an alert user identity and a security threat. When a user identity requests access to the secure resource, the identity provider may look up security alerts associated with the user identity, such as my matching up the user identity with the alert user identity associated with each alert. Based on any discovered security alerts that correspond to the user identity and a pre-defined security policy, the identity provider may perform various security actions on the user identity. For example, the identity provider may contain a user identity associated with high-risk and/or high fidelity security alerts. The identity provider may deny the user identity access to the secure resource, or the identity provider may request additional authentication factors associated with the user identity before access to the secure resource is provided. The identity provider may provide access to the secure resource without containing the user identity if there are no discovered security alerts associated with the user identity, or if the discovered security alerts pose a minor threat.