This application claims priority to European Application No. 08017143.2 filed 29 Sep. 2008, the entire contents of which are hereby incorporated by reference.
The present invention relates to a method and a rule-repository for generating security-definitions for heterogeneous systems.
Today, huge software systems providing a large amount of diverse data are typically combinations of different heterogeneous subsystems such as internet portals, collections of different databases or registries, which makes the overall systems very complex. Heterogeneous in this context means that the subsystems each may have a completely different structure, underlying technology, data formats, processing concepts, etc.
In order to ensure the security of the data in such a composed software system, e.g. to ensure that only authorized parties have access to parts of the data or that only authorized personnel is allowed to perform certain system tasks, the subsystems typically each allow for the declaration of a set of security definitions. However, the heterogeneous subsystems might specify fine-grained security definitions by different technical means and conforming to different syntactic models. On the other hand, the overall security of the software system is likely to be the result of coarse-grained, global security intents, which have to be manually manifested by administration personnel in the multiple different fine-grained security definitions of each subsystem. Since a global security intend may likely affect multiple different subsystems, the various different security definitions have to be kept synchronized at all times in order to guarantee the security of the overall software system. Thus, even to a knowledgeable administrator, the overall set of a system's fine-grained security definitions may often appear as an incomprehensible collection of access privileges, which is difficult to maintain and results in the risk of security leaks of the overall software system.
In this context, the U.S. Pat. No. 7,058,715 describes how to manage access control within system topologies, in particular in storage-area networks. It discloses a formal mathematical model to group accessors and accessibles into proto-zones in order to facilitate the security management. Furthermore, the U.S. Pat. No. 6,751,509 discloses a method to achieve access control to tabular data organized in cells and aggregations of cells, especially in closed systems such as financial institutions. The document focuses on the derivation of aggregated access control rules on the same fine-grained abstraction-level.
It is therefore the technical problem underlying the present invention to facilitate the derivation of fine-grained security-definitions from more global security intents, thereby increasing the security of huge software systems comprised of heterogeneous subsystems and thereby at least partly overcoming the above explained disadvantages of the prior art.
This problem is according to one aspect of the invention solved by a method for generating one or more system-specific security-definitions for one or more heterogeneous subsystems of a software system. In the embodiment of claim 1, the method comprises the following steps:
Accordingly, the embodiment defines a method which facilitates the generation of system-specific security-definitions specific to different heterogeneous subsystems of a software system. As explained in the introductory section, each subsystem might have its own method of establishing security and especially might have its own data model of storing security definitions, which makes it very difficult to achieve the overall security-intends of the overall system. To this end, the embodiment defines a three-layered architecture for security-definitions, including a meta-representation of the system-specific security-definitions:
Consequently, storing the security-definitions according to this three-layered security-architecture already has advantages in documenting changes to the security set, thus making it better maintainable. Additionally, the three-layered security-architecture provides a better understanding of which security-definitions exist and their intents and further achieves a synchronized generation of the fine-grained system-specific security-definitions from the more abstract security-intents. Thus, the overall security of the software system is improved through the enforcement of the security intents by the different system-specific security-definitions.
In one aspect of the present invention, the method further comprises the steps of storing one or more new system-specific security-definitions in the rule-repository and generating the one or more machine-readable security-definitions from the one or more new system-specific security-definitions by the one or more rule-converters according to the second mapping. Accordingly, the rule-converters may be able to convert the security-definitions in both directions. This enables a “reverse-engineering” of existing fine-grained security-definitions, which facilitates a better understanding of the security-definitions and makes the validation of existing configurations easier, thereby further increasing the overall security.
In another aspect, the method further comprises the steps of selecting at least one of the natural-language security-definitions and retrieving the one or more affected system-specific security-definitions according to the first and second mapping. A system-specific security-definition is affected by a natural-language security-definition in this context, if it was derived from it through one or more corresponding machine-readable security-definitions. In this aspect, the rule-repository may be thought of as a combined data basis of rules in layers 2 and 3, which is able to provide information of which actions have taken place with respect to security. This is especially advantageous when the security activities undertaken related to a natural-language security-definition do not have the desired effects and the system-specific security-definitions are of such quantity that they cannot be efficiently inspected manually. Additionally or alternatively, the method may comprise the further steps of selecting at least one of the system-specific security-definitions and retrieving the one or more affected natural-language security-definitions according to the first and second mapping.
Furthermore, the method may further comprise the steps of updating the one or more natural-language security-definitions and/or the one or more machine-readable security-definitions and the step of updating the corresponding system-specific security-definitions by the one or more rule-converters. This aspect enables the security-definitions at the different abstraction layers to be kept synchronized.
In addition to retrieving layer 3 definitions affected by layer 1 definitions as presented above, the method may further comprise the steps of updating one or more of the affected system-specific security-definitions, selecting the one or more affected system-specific security-definitions which have been updated, and retrieving the at least one natural-language security-definition which has updated the selected system-specific security definitions. Accordingly, this allows for a kind of “impact analysis” of new layer 1 definitions on existing layer 1 definitions.
In order to detect if a security-definition has been updated, the one or more natural-language security-definitions, the one or more machine-readable security-definitions and/or the one or more system-specific security-definitions may comprise a time-stamp indicating the time of their last update.
Furthermore, the one or more machine-readable security-definitions may comprise any of the group of constructs comprising users, roles, resources and/or access-privileges. This allows for a sufficiently precise but still generic representation of the corresponding natural-language security-definitions. In one aspect, the one or more machine-readable security-definitions may be defined in X
The present invention also relates to a rule-repository for generating one or more system-specific security-definitions for one or more heterogeneous subsystems of a software system, the rule-repository comprising one or more rule-converters, wherein the rule-repository is adapted for performing any of the methods presented above.
Further advantageous modifications of embodiments of the method and the rule-repository of the invention are defined in further dependent claims.
Lastly, the present invention concerns a computer program comprising instructions for performing any of the methods presented above.
In the following detailed description, presently preferred embodiments of the invention are further described with reference to the following figures:
a-b: Code listings illustrating an exemplary system-specific security-definition for a Tamino XML database management system.
In the following, a presently preferred embodiment of the invention is described with respect to a three-layered security-architecture as schematically shown in
Furthermore, it may be appreciated that the system-specific security-definitions 310, 311, 320, 321 may not only serve for access control to resources S10, S11, S20, S21, but to fulfill any kind of security intent. For example, the system-specific security-definitions 310, 311, 320, 321 may define rights to perform certain tasks such as user-management, administration, etc. or rights to start certain system-specific processes such as monthly billing, bank transfers, mail delivery, etc. Accordingly, the generation of such system-specific security-definitions 310, 311, 320, 321 may for example result in a written handout comprising directives to be followed by the personnel which performs the above tasks.
Typically, there is no one-to-one mapping of the security-definitions on the different layers, since a higher-layered security-definition might well result in multiple security-definitions on a lower layer. To be able to convert in both directions—from higher to lower and from lower to higher layer, an association between the security-definitions and their corresponding security-definitions on the other layers is given by the mappings depicted by the white arrows in
In the following, various advantageous features of the present invention are illustrated in the context of the exemplary scenario in
The overall security-intent, i.e. the natural-language security-definition 100 in this example is to “grant read access to all developers on the data relating to the project SYLT”.
The data relating to the project SYLT are stored in the WebD
In the following, all information is stored in a rule-repository in XML syntax. It should, however, be appreciated that XML is only one of a wide variety of possible data formats. Also, the specific structure of the shown XML documents is not intended to limit the scope of the invention to this structure. Furthermore, the rule-repository may be an XML database such as Tamino of Applicant. However, it should be appreciated that any other kind of storage facility is suitable for the present invention.
The corresponding machine-readable security-definition 200 is shown in
The corresponding WebD
Similarly,
Accordingly, the
Since the information of all layers is represented in XML in the above example, XQueries may be formulated to analyze the information in order to research for security issues. It should be understood that any format other than XML and related query mechanisms may be employed in the present invention. The following sample queries assume that the security-definitions of all layers are collectively stored in a single collection “rules”, however, other storage structures are equally possible.
The following query retrieves all layer-L3 security-definitions that are affected by the natural-language security-definition with the Id “DeveloperReadRule”, according to the mappings:
The next query depicted below takes this set and selects those layer-L3 security-definitions that have been touched, i.e. updated, in the meantime. This preferably involves a function getTimestamp( ) that computes the time-stamp a rule has been last updated. The function is preferably implemented in a way that heeds the different ways the time-stamp may be represented in the system-specific security-definitions of the different subsystems (e.g. in that it always returns a value of type xs:datetime).
The last query takes this set and selects those natural-language security-definitions which caused the layer-L3 security-definitions to be updated:
This query presumes that a natural-language security-definition has caused a layer-L3 security-definition to be updated, if both security-definitions have the same time-stamp. In other scenarios, it may be feasible to e.g. introduce a transaction ID to make the determination more precise. The above query furthermore uses a function getLayer3Rules( ). This exemplary function computes all layer-L3 security-definitions for a natural-language security-definition as demonstrated in the first query.
In summary, the three queries depicted above retrieve, for a given natural-language security-definition, the affected natural-language security-definitions, which have manipulated the same system-specific security-definitions and thus allow for an efficient analysis of the overall security set of the software system.
Number | Date | Country | Kind |
---|---|---|---|
08017143 | Sep 2008 | EP | regional |
Number | Name | Date | Kind |
---|---|---|---|
6751509 | Hirayama | Jun 2004 | B2 |
6978379 | Goh et al. | Dec 2005 | B1 |
7058715 | Jain et al. | Jun 2006 | B2 |
7308702 | Thomsen et al. | Dec 2007 | B1 |
7603358 | Anderson et al. | Oct 2009 | B1 |
8056114 | Allen et al. | Nov 2011 | B2 |
20060010445 | Peterson et al. | Jan 2006 | A1 |
20070056018 | Ridlon et al. | Mar 2007 | A1 |
Number | Date | Country |
---|---|---|
1 308 823 | May 2003 | EP |
WO 2008103725 | Aug 2008 | WO |
Number | Date | Country | |
---|---|---|---|
20100083348 A1 | Apr 2010 | US |