1. Technical Field
This disclosure relates generally to computer-implemented techniques for designing, configuring and managing security policies within an organization.
2. Background of the Related Art
Managing security policies within an organization is often a difficult task. Many organizations have some understanding of their employees' roles within their organization and the information technology (IT) functions a user in a given role needs to access to conduct his or her daily job. Translating these access requirements to security policies within a given security framework, however, can be tedious and complicated.
More specifically, the existing processes and techniques for designing and configuring security policies often suffer from the following problems. First, the security administrator must have in-depth knowledge of the technology for which policy will be configured. For example, if one is to implement a security policy within a known system, one needs to understand how to use access control lists, object policies and authorization rules, as well as understanding the full application scope at issue. Acquiring such knowledge can be very time-consuming and costly. Second, translating a business security requirement for access control to a technology-specific design is often an inexact activity, especially in cases where the available security framework cannot represent that requirement precisely.
While there are known solutions (such as IBM® Tivoli® Security Policy Manager) that attempt to address these problems by separating a business security view from IT systems implementation, they still require the security administrator to understand various policy configuration items even if vendor-neutral or standards-based.
There remains a need to provide a security framework that can translate role-based access requirements directly to security policies.
The subject matter herein provides a security framework method and system that removes the complexity associated with security policy authoring and enables such policies to be automatically defined and deployed. In an illustrative embodiment, an interface is provided through which an operator (such as a business security analyst) can role play and, as a result, a series of transactions that users of a particular role are entitled to perform are recorded. Thus, for example, transactions are recorded as the role player accesses various IT functions while role playing a specific role. Based on these recorded user transactions, the system then automatically generates one or more security policies. These policies can be extended to similar transactions, and generated policies may be optimized, or they may be consolidated to reduce redundancy. The policies are then distributed to various policy decision and enforcement points within the organization.
The foregoing has outlined some of the more pertinent features of the invention. These features should be construed to be merely illustrative. Many other beneficial results can be attained by applying the disclosed invention in a different manner or by modifying the invention as will be described.
For a more complete understanding of the present invention and the advantages thereof, reference is now made to the following descriptions taken in conjunction with the accompanying drawings, in which:
With reference now to the drawings and in particular with reference to
With reference now to the drawings,
In the depicted example, server 104 and server 106 are connected to network 102 along with storage unit 108. In addition, clients 110, 112, and 114 are also connected to network 102. These clients 110, 112, and 114 may be, for example, personal computers, network computers, or the like. In the depicted example, server 104 provides data, such as boot files, operating system images, and applications to the clients 110, 112, and 114. Clients 110, 112, and 114 are clients to server 104 in the depicted example. Distributed data processing system 100 may include additional servers, clients, and other devices not shown.
In the depicted example, distributed data processing system 100 is the Internet with network 102 representing a worldwide collection of networks and gateways that use the Transmission Control Protocol/Internet Protocol (TCP/IP) suite of protocols to communicate with one another. At the heart of the Internet is a backbone of high-speed data communication lines between major nodes or host computers, consisting of thousands of commercial, governmental, educational and other computer systems that route data and messages. Of course, the distributed data processing system 100 may also be implemented to include a number of different types of networks, such as for example, an intranet, a local area network (LAN), a wide area network (WAN), or the like. As stated above,
With reference now to
In the depicted example, data processing system 200 employs a hub architecture including bridge and memory controller hub (NB/MCH) 202 and bridge and input/output (I/O) controller hub (SB/ICH) 204. Processing unit 206, main memory 208, and graphics processor 210 are connected to NB/MCH 202. Graphics processor 210 may be connected to NB/MCH 202 through an accelerated graphics port (AGP).
In the depicted example, local area network (LAN) adapter 212 connects to SB/ICH 204. Audio adapter 216, keyboard and mouse adapter 220, modem 222, read only memory (ROM) 224, hard disk drive (HDD) 226, CD-ROM drive 230, universal serial bus (USB) ports and other communication ports 232, and PCI/PCIe devices 234 connect to SB/ICH 204 through bus 238 and bus 240. PCI/PCIe devices may include, for example, Ethernet adapters, add-in cards, and PC cards for notebook computers. PCI uses a card bus controller, while PCIe does not. ROM 224 may be, for example, a flash basic input/output system (BIOS).
HDD 226 and CD-ROM drive 230 connect to SB/ICH 204 through bus 240. HDD 226 and CD-ROM drive 230 may use, for example, an integrated drive electronics (IDE) or serial advanced technology attachment (SATA) interface. Super I/O (SIO) device 236 may be connected to SB/ICH 204.
An operating system runs on processing unit 206. The operating system coordinates and provides control of various components within the data processing system 200 in
As a server, data processing system 200 may be, for example, an IBM® eServer™ System p® computer system, running the Advanced Interactive Executive (AIX®) operating system or the LINUX® operating system. IBM, AIX, eServer, MQSeries, and system P are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. LINUX is a registered trademark of Linus Torvalds in the United States, other countries, or both. Data processing system 200 may be a symmetric multiprocessor (SMP) system including a plurality of processors in processing unit 206. Alternatively, a single processor system may be employed.
Instructions for the operating system, the object-oriented programming system, and applications or programs are located on storage devices, such as HDD 226, and may be loaded into main memory 208 for execution by processing unit 206. The processes for illustrative embodiments of the disclosure may be performed by processing unit 206 using computer usable program code, which may be located in a memory such as, for example, main memory 208, ROM 224, or in one or more peripheral devices 226 and 230, for example.
A bus system, such as bus 238 or bus 240 as shown in
Those of ordinary skill in the art will appreciate that the hardware in
In particular, and with reference to
Irrespective of what application 302 is used, an identifier for the selected role is recorded in an application session. As the BSA 300 role plays, the application 302 records the details of the functions accessed in access logs 304. Preferably, this step is carried out using the application's native logging capabilities, in which case no additional or supplemental logging mechanism to be implemented, but this is not a requirement. Preferably, and at a minimum, a log entry comprises the values of security attributes used in the security policies, e.g., one or more of: URL, access time, transaction data, and the like. An access analyzer 306 reads the access logs 304 and optimizes the access patterns in a manner described in more detailed below. For example, identical accesses on multiple resources might be conveniently condensed into a single policy definition. The access analyzer 306 preferably also makes use of a resource hierarchy (e.g., a directory tree) to consolidate accesses. A policy generator 308 translates the access patterns to technology-specific policies and then loads these policies into a policy manager 310. The policy manager 310 is responsible for distributing the policies to one or more security policy enforcement points within or across the enterprise.
The security framework shown in
The basic technique described above can be modified to extend its usability and usefulness. For example, an additional editing interface may be provided to enable the security administrator (e.g., the BSA) to review and modify the generated policies before they are loaded into the policy manager. The interface may be a web-based GUI with known tools and controls, command-line based, or otherwise. This allows a two-stage approach to the security implementation, wherein preferably the majority of the security policies are automatically generated by the described technique and any required fine tuning is done by this additional editing interface. The security administrator may configure attributes of a request or the application context that can be used to group together similar transactions. Such a parameterized interface may be a desirable extension where data is input to the application as a Web service or for applications under test where authorization based on resource name or location is not fine-grained enough (and/or a web service method or operation is also required).
Preferably, the techniques described herein are integrated with one or more (and preferably all) security policy enforcement points for an application. By way of background,
In operation, the BSA selects a first security role (such as role 1) and accesses one or more (or preferably all) functions of the application required for the role. The application (or, more generally, the security framework) writes the details of the functions accessed in the access logs (not shown), such details typically including URL, access time, and the like. The BSA then selects a second security role (such as role 2) and repeats the process. As described above, the access analyzer reads the access logs and optimizes the access patterns. In particular, and with reference to
While the example in
The inventive technique is not limited to network access policy management. As noted above, the invention allows a security administrator to configure attributes of the particular application context that can be used to group similar transactions. This enables the policy to be generated at the application layer. For example, assume the Internet application (such as shown above in
Thus, in a typical implementation there is an application (or application suite) that has been developed and for which there is now a need to overlay a security policy definition. Using the above-described technique, the application is deployed in a pre-production environment, and a given user role plays against that application (typically by performing one or more operations as a particular user in a particular group). As the BSA or other operator role plays, the application (or the framework) writes access logs, which are then analyzed and consolidated into a set of commands that drive a policy generator. The policy generator creates an optimized security policy that it then deploys to one or more enforcement points. In this manner, the framework enables automated configuration and deployment of one or more security policies.
In general, the framework enables a user (e.g., an administrator or analyst) to simulate role-specific transactions and then have the framework automatically generate a security policy based on those simulated transactions. Thus, the invention allows the user to express policies in terms that are more business- (as opposed to technology-) oriented. In operation, the user (e.g., the business analyst) role preferably plays at least one specific role (i.e., he or she executes various use cases as they may have been defined in a requirements phase), the system collects access data, and then it uses that data to drive the creation of the security policy or policies.
The disclosed subject matter provides significant advantages. It greatly simplifies policy management by removing the complexity involving with security policy authoring and design. As a result, an IT system can be secured with less time and less potential for errors. The method and system eliminates the need to understand technology-specific policy configuration. The approach tackles the access control problem from a business enablement point of view rather than a policy management point of view. It allows the security administrator to focus on fulfilling a business requirement rather than configuring technology-specific security policies. This aspect of the solution greatly simplifies the process of securing the IT system and makes understanding the security implementation more efficient. By using the above-described techniques, the most complex part of a security management implementation, namely, the policy design, is now automated so that any human error factors are greatly reduced. By using the described invention, more concise policy definitions are also achieved because policy definition occurs for only a well-known set of functions. In addition, by taking advantage of the techniques herein, a security administrator need no longer be an expert in security technologies and products. This reduces the cost involved with education and training. Indeed, using the present invention, even a business analyst can play the role of a security administrator, because the above-described techniques can be implemented with a basic understanding of which IT functions are required for a given role.
Utilizing the inventive technique (e.g. at all enforcement points) ensures that each access component (of a set of access components that are used to access a given application or application suite) only defines policies that are relevant to a specific business security requirement. It also allows a consistent set of policies to be created and applied at every part of the IT system. Using the policy preview feature described above, the security administrator or other user can also review the overarching set of policies generated for a given security role and be confident that all parts of the IT system satisfy the business security requirement.
Although an example of a web application policy definition process has been described above, this is not a limitation. Other examples of access can easily be accommodated by following the same process above, albeit with different instrumented enforcement points. An example may be securing network access to servers through UNIX®/Linux terminal sessions (UNIX is a registered trademark of the Open Group in the United States and other countries).
The functionality described above may be implemented within or as an adjunct to any existing or later-developed security policy management approach. The disclosed technique is not limited to any particular type of application, or any particular type of access or security manager. Also, the term “security framework” should be broadly construed to refer to any existing or later-developed techniques, functions, systems, devices, processes, programs, utilities or the like that are implemented. Moreover, the above-described techniques are not limited to “security” policy design, configuration and deployment. Indeed, the role play and automated policy generation and deployment techniques can be used for other policy management, including, without limitation, privacy policy, and the like.
The functionality described above may be implemented as a standalone approach, e.g., a software-based function executed by a processor, or it may be available as a managed service (including as a web service via a SOAP/XML interface). The particular hardware and software implementation details described herein are merely for illustrative purposes are not meant to limit the scope of the described subject matter.
More generally, computing devices within the context of the disclosed invention are each a data processing system (such as shown in
The scheme described herein may be implemented in or in conjunction with various server-side architectures including simple n-tier architectures, web portals, federated systems, and the like.
Still more generally, the subject matter described herein can take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment containing both hardware and software elements. In a preferred embodiment, the function is implemented in software, which includes but is not limited to firmware, resident software, microcode, and the like. Furthermore, as noted above, the invention can take the form of a computer program product accessible from a computer-usable or computer-readable medium providing program code for use by or in connection with a computer or any instruction execution system. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can contain or store the program for use by or in connection with the instruction execution system, apparatus, or device. The medium can be an electronic, magnetic, optical, electromagnetic, infrared, or a semiconductor system (or apparatus or device). Examples of a computer-readable medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk and an optical disk. Current examples of optical disks include compact disk-read only memory (CD-ROM), compact disk-read/write (CD-R/W) and DVD. The computer-readable medium is a tangible item.
The computer program product may be a product having program instructions (or program code) to implement one or more of the described functions. Those instructions or code may be stored in a computer readable storage medium in a data processing system after being downloaded over a network from a remote data processing system. Or, those instructions or code may be stored in a computer readable storage medium in a server data processing system and adapted to be downloaded over a network to a remote data processing system for use in a computer readable storage medium within the remote system.
In a representative embodiment, the role-play interface, access analyzer and policy generator components are implemented in a special purpose computer, preferably in software executed by one or more processors. The software is maintained in one or more data stores or memories associated with the one or more processors, and the software may be implemented as one or more computer programs. Collectively, this special-purpose hardware and software comprises a security framework that provides automated security policy definition. The security framework may be extended to include a mechanism for deploying the generated policies.
The security framework may be implemented as an adjunct or extension to an existing access manager or policy management solution.
In an alternative embodiment, the set of role-specific transactions performed by the BSA during the policy generation process may be performed programmatically.
While the above describes a particular order of operations performed by certain embodiments of the invention, it should be understood that such order is exemplary, as alternative embodiments may perform the operations in a different order, combine certain operations, overlap certain operations, or the like. References in the specification to a given embodiment indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic.
Finally, while given components of the system have been described separately, one of ordinary skill will appreciate that some of the functions may be combined or shared in given instructions, program sequences, code portions, and the like.
As used herein, the “client-side” application should be broadly construed to refer to an application, a page associated with that application, or some other resource or function invoked by a client-side request to the application. A “browser” as used herein is not intended to refer to any specific browser (e.g., Internet Explorer, Safari, FireFox, or the like), but should be broadly construed to refer to any client-side rendering engine that can access and display Internet-accessible resources. Further, while typically the client-server interactions occur using HTTP, this is not a limitation either. The client server interaction may be formatted to conform to the Simple Object Access Protocol (SOAP) and travel over HTTP (over the public Internet), FTP, or any other reliable transport mechanism (such as IBM® MQSeries° technologies and CORBA, for transport over an enterprise intranet) may be used. Also, the term “web site” or “service provider” should be broadly construed to cover a web site (a set of linked web pages), a domain at a given web site or server, a trust domain associated with a server or set of servers, or the like. A “service provider domain” may include a web site or a portion of a web site. Any application or functionality described herein may be implemented as native code, by providing hooks into another application, by facilitating use of the mechanism as a plug-in, by linking to the mechanism, and the like.
Having described our invention, what we now claim is as follows.
Number | Name | Date | Kind |
---|---|---|---|
6950802 | Barnes et al. | Sep 2005 | B1 |
7308702 | Thomsen et al. | Dec 2007 | B1 |
7340469 | Alghathbar et al. | Mar 2008 | B1 |
7506371 | Ben-Natan | Mar 2009 | B1 |
7516476 | Kraemer et al. | Apr 2009 | B1 |
20020184525 | Cheng | Dec 2002 | A1 |
20030110192 | Valente et al. | Jun 2003 | A1 |
20040162781 | Searl et al. | Aug 2004 | A1 |
20050119905 | Wong et al. | Jun 2005 | A1 |
20050193196 | Huang et al. | Sep 2005 | A1 |
20060026669 | Zakas | Feb 2006 | A1 |
20060147043 | Mann et al. | Jul 2006 | A1 |
20060184995 | Backes et al. | Aug 2006 | A1 |
20060277184 | Faitelson et al. | Dec 2006 | A1 |
20070282778 | Chan et al. | Dec 2007 | A1 |
20080104393 | Glasser et al. | May 2008 | A1 |
20080235168 | Chan et al. | Sep 2008 | A1 |
20080244736 | Lampson et al. | Oct 2008 | A1 |
20090077621 | Lang et al. | Mar 2009 | A1 |
20090138939 | Kumar et al. | May 2009 | A1 |
Entry |
---|
Bindview Unveils Policy Center—A Comprehensive Web-based Security Policy Devleopment and Management, Business Wire, Jul. 29, 2002. |
Bindview Operations Center—marketing document, BindView, 2003. |
Sam Costello, BindView, Procinct release security services, Aug. 2, 2002, Computerworld. |
Elemental Security Platform—Agent Based Host Security Policy Compliance and Management, May 17, 2005. |
Number | Date | Country | |
---|---|---|---|
20110078759 A1 | Mar 2011 | US |