Patent Application
20080034402
The subject matter which is regarded as the invention is particularly pointed out and distinctly claimed in the claims at the conclusion of the specification. The foregoing and other objects, features, and advantages of the invention are apparent from the following detailed description taken in conjunction with the accompanying drawings in which:
The detailed description explains the preferred embodiments of the invention, together with advantages and features, by way of example with reference to the drawings.
Turning now to the drawings in greater detail, it will be seen that in
The system of
Server systems 104A-104D are administered by individuals who may be employees of the enterprise implementing the host system 102. Each server system 104A-104D may be located within a single facility or may be remotely situated at various geographic locations. Each of server systems 104A-104D may be implemented using a general-purpose computer executing a computer program for carrying out the processes described herein. The server systems 104A-104D may be personal computers (e.g., a lap top, a personal digital assistant) or multi-user server systems. As shown in
The host system 102 may be implemented using one or more servers operating in response to a computer program stored in a storage medium accessible by the server(s). The host system 102 may operate as a network server (e.g., a web server) to communicate with the server systems 104A-104D. The host system 102 handles sending and receiving information to and from the server systems 104A-104D and can perform associated tasks. The host system 102 executes one or more applications (e.g., security control application 108) to provide the services described herein. It will be understood that a variety of additional applications (e.g., word processing, spreadsheet, Web-based, etc.) may be implemented by the host system 102.
The host system 102 is in communication with a storage device 124. Storage device 124 may be implemented using memory contained in the host system 102 or it may be a separate physical device. In exemplary embodiments, the storage device 124 is in direct communication with the host system 102 (via, e.g., cabling). However, other network implementations may be utilized. For example, storage device 124 may be logically addressable as a consolidated data source across a distributed environment that includes one or more networks 106. Information stored in the storage device 124 may be retrieved and manipulated via the host system 102. Storage device 124 stores a variety of information for use in implementing the security control processes. For example, storage device 124 may store various information elements to be secured (e.g., which comprises sensitive or proprietary information, the disclosure or loss of which would result in harm and/or liability to the enterprise). This information may include database tables, files, directories, libraries, etc., or any information typically associated with the operations of a business or organization. The storage device 124 may also store information created as a result of implementing the security control functions described herein. For example, storage device 124 may store organization domains, policy domains, system settings, etc.
Network(s) 106 may be any type of known network including, but not limited to, a wide area network (WAN), a local area network (LAN), a global network (e.g. Internet), a virtual private network (VPN), and an intranet. The network(s) 106 may be implemented using a wireless network or any kind of physical network implementation known in the art. A server system 104 may be coupled to the host system 102 through multiple networks (e.g., intranet and Internet) so that not all server systems 104 are coupled to the host system 102 through the same network. One or more of the server systems 104 and the host system 102 may be connected to the network 106 in a wireless fashion.
The security control application 108 comprises seven components or modules which facilitate the expression of the policies and related features of the security control processes. These components include organizational domain construction 110, policy domain constriction 112, system artifact classification 114, purpose of data use specifications 116, policy application 118, classification validation 120, and policy compliance auditing 122. Components 110 and 112 enable business asset owners to express security policies in terms of the business assets (rather than the computer system objects that make up those assets) they own or for which they are responsible. Components 114-122 enable computer system administrators to enforce (rather than define and enforce) the policies expressed by the business asset owners more quickly, easily, and accurately.
The domain construction component 110 builds a set of abstract actors, actions, and resources that policies are allowed to use. Policy construction component 112 enables a set of abstract statements about access control, password settings, and system settings. System artifact classification component 114 provides the ability to map system artifacts (e.g., user IDs, files, database tables, etc.) to objects in the organizational domain (e.g., actors and resources of data types). Purpose of data use specification component 116 defines what mechanisms in the system enforce policies that include a specific purpose of use requirement. Policy application component 118 takes a policy along with all the system classification and mapping data and changes the security control settings on a server system to be in compliance with the security policy. Classification validation component 120 determines which system artifacts, if any, have been added to the system since the last application of policy and which are currently unclassified; or system artifacts, if any, that have been removed since the last application of policy; or system artifacts, if any, which have changed in some way that would affect the enforcement of security policy. Policy compliance auditing component 122 verifies that the current security attributes or system settings of the system artifacts are in compliance with the policy. These components are described further herein.
Turning now to
At step 202, an organizational domain is constructed. The construction of the organizational domain is enabled via the domain construction component 110 of the security control application 108. In exemplary embodiments, the domain construction processes may involve all parts of an enterprise and is managed at the highest level. Members of the enterprise provide input regarding the business assets to be secured, the roles of employees within the organization, and the actions people in those roles can take on those business assets. Through this activity, it may be discovered that the organization contains assets related to specific business tasks such as sales, manufacturing, and human resources. Thus, it may also be determined, e.g., that there is an employee role responsible for sending bills to customers, another that determines bonuses for salesmen, and another that seeks to improve the manufacturing process. The enterprise may then construct three organizational domains each of which would contain the security policies for the business assets associated with one of the specific business tasks. Alternatively, the enterprise could choose to create a single organizational domain to contain the security policies for business assets associated with all of the business tasks in the organization. The business assets reflect the abstract notion of a business asset. For example, the information generated and used by the sales department along with the systems and applications which access that information constitute a business asset to be secured. The organizational domain would also contain the actors (or roles), e.g., accountant, payroll provider, and process engineer. Actors represent the various employee roles in an organization. Thus, an employee who dispenses payroll checks may represent an actor in the role of a “payroll provider”.
At step 204, control policies are created via the policy construction component 112 of the security control application 108. An organization-wide policy may be constructed containing several pieces of information. For example, the policy may contain several system setting attributes that must be true for any system in the organization (e.g., a requirement that all passwords have a numeric character). In addition, access control policies are established via the policy construction component 112. Access control policies include a set of statements specifying which actors are permitted to access which business assets and for what purposes. A sample access control policy might include: accountants can access sales data for the purpose of billing. Another sample access control policy might include: payroll providers can read human resources data and sales data for the purposes of conducting payroll activities. These access control policies may be expressed using a variety of techniques. For example, a user may enter a policy in natural language that is parsed and shown to the user in a more structured format using a product, such as IBM's SPARCLE™ or similar technique.
At step 206, user and/or group identifiers (user/group IDs) for users of the system are mapped to actors via the system artifact classification component 114. Each system or subsystem for which a policy is to be applied must have the artifacts of that system classified as (or mapped to) actors or business assets defined in the policy domain. For example, any given system has user IDs. Some of these users may be process engineers, accountants, or payroll providers (i.e., actors). Each actor in the policy domain is associated with corresponding user IDs or groups which represent people or groups of people performing the role of the specified actor. Likewise, the business asset resources from the policy domain should be mapped to files, directories, libraries, tables, and columns, programs, etc., on the system. These mappings are specified at step 208. The classification of computer resource artifacts allows the security control application 108 to apply a general abstract policy to a specific physical computer resources
Some access control statements may specify that a business asset can only be accessed for a specific business purpose. There are several ways of determining purpose. In exemplary embodiments, the data is configured for access only using a specific application. In this component, the application that embodies a purpose for a given resource is specified. This may be done on a business asset level if all of the artifacts that constitute a business asset can be used by one application or it can be configured on a system artifact by system artifact basis. This component can take place independent of any system information if a set of known applications is to be used for a given purpose for a given resource. A simpler embodiment of this phase would be that, for a given system, an executable program is mapped to a purpose of a business asset. These activities may be implemented via the purpose of use specification component 116.
At step 210, the access control policies are applied to the system via the policy application component 118. System settings, such as password length are changed and the access attributes of file system and database objects are set according to policy. Using the above enterprise example, access to tables making up manufacturing data would be denied for any user ID not mapped to the process engineer actor role. Read access would be granted to those user IDs which are process engineers. Requiring that data is used only for a specific purpose may be accomplished by creating a user ID that represents a purpose and using a mechanism like “set user ID” to control access to the data. Other mechanisms may be employed as well.
Before changes are made, a report may be presented to the user about what will be changed. After the changes are made, a report may be presented to the user about what changes were made. Additionally, policy items that could not be enforced may be reported for further evaluation and action.
The classification validation component 120 determines whether all system artifacts have been mapped to actors, roles, or purposes defined in the organizational and policy domains (i.e., mappings established via component 114). Considerable time may have passed between the start of the classification phase and the application of the policy. Things like changes to group membership or the creation of new system artifacts may have occurred. These changes may be reported to the user of the invention who may be prompted for the action that should be taken by the invention. For example, new user identifiers (IDs) may be mapped to actors or the entire classification process may be restarted.
The policy compliance auditing component 122 audits compliance of policy actually enforced on a system with the policies defined in a policy domain. The purpose of this is to ensure that system accurately enforces the domain policies or, if not, the deviations are properly reported. This may involve checking the security attributes of system artifacts, looking for group membership changes, and watching for new artifact creation. This process may also be used if the policy is changed to verify that the system is still in compliance. Thus, these components 120-122 may be re-iterated for ongoing validation and auditing.
The capabilities of the present invention can be implemented in software, firmware, hardware or some combination thereof.
As one example, one or more aspects of the present invention can be included in an article of manufacture (e.g., one or more computer program products) having, for instance, computer usable media. The media has embodied therein, for instance, computer readable program code means for providing and facilitating the capabilities of the present invention. The article of manufacture can be included as a part of a computer system or sold separately.
Additionally, at least one program storage device readable by a machine, tangibly embodying at least one program of instructions executable by the machine to perform the capabilities of the present invention can be provided.
The flow diagrams depicted herein are just examples. There may be many variations to these diagrams or the steps (or operations) described therein without departing from the spirit of the invention. For instance, the steps may be performed in a differing order, or steps may be added, deleted or modified. All of these variations are considered a part of the claimed invention.
While the preferred embodiment to the invention has been described, it will be understood that those skilled in the art, both now and in the future, may make various improvements and enhancements which fall within the scope of the claims which follow. These claims should be construed to maintain the proper protection for the invention first described.
