1. Field of the Invention
This invention relates to security and control and in particular, to entitlement security and control between systems, using metadata.
2. Description of the Related Art
Many attempts have been made to secure the flow of data between two or more systems. However, methods and apparatus available today require individual users to acquire access to an upstream protected application through an administrator. For example, methods and apparatus available today do not allow for a downstream access control system to gain access to an upstream protected application, and the methods and apparatus available today fail to separate entitlement from access, and primarily rely on the “access” part of a security system. By focusing primarily on the access part of the security system, the methods and apparatus available today do not provide the level or type of security and protection needed against hackers, terminated employees or other such individuals, groups, or organizations. For example, a hacker typically obtains access to a system (by hacking), but may never obtain entitlement. Similarly, for example, a terminated employee may continue to access the company's email despite having been terminated, i.e., not having entitlement permission.
Furthermore, methods and apparatus available today do not have rules, and roles at the entitlement level to filter downstream users and access control systems before they are granted access. Such methods and apparatus do not classify data in terms of security, importance, urgency, confidentiality, government, community and organization rules and regulations, and other such matters, and are manual and rely on the expectation that someone or some group within the company is security-aware and can flawlessly filter people when granting access permissions. Additionally, methods and apparatus available today do not use metadata.
Typically, as illustrated in FIG. 1, a security control system 100 comprises a downstream ACS 124 and an upstream ACS 126. For a user 102, having existing access to a downstream application 122, to gain access to an upstream application 118, the user 102 would have to place an access request 104 with the upstream ACS 126 through an administrator 106 or the user 102 may be the administrator 106 of the downstream ACS 124. First, the prior art does not provide for the capability where a downstream ACS 124 may request access on behalf of a user, a group of users, or all users, or for the downstream ACS as a whole or itself. Second, the prior art does not require an entitlement request prior to submitting an access request. Furthermore, an administrator 106 is authorized with reviewing the request 104, and the administrator 106 is not likely to have access to many of the rules, regulations, laws, policies, security classifications, and names to make an informed decision, particular when the database is from a different organization. Even if the administrator 106 did have access to such information, it is not likely to be updated, and consequently, ACL 108 is not likely to be content-aware, security-aware, classified, or fully updated, and, is likely to be unable to perform a real-time, fast, informed, and accurate check of access requests 104. Such process only provides for user-based requests, and does not allow for ACS-based requests, and is slow, manual, tedious, labor-intensive, and inaccurate, if various changes are not quickly adopted or known, and is based on out-of-date information.
None of the methods or apparatus available today is entitlement-based, metadata driven, security-aware, or dynamically updated. Methods and apparatus available today do not provide for reviewing of user-based as well as ACS-based requests. Stated differently, methods and apparatus available today do not provide for direct placing and reviewing of entitlement and access requests within a security and control system or between multiple security and control systems.