1. Field of the Invention
The present invention relates to data processing systems and networks. More specifically, it relates to controlling information access and distribution across one or more computing domains.
2. Description of the Related Art
Traditionally, an access control mechanism is used to protect information stored in an information system on a host computer or server for security and/or privacy. It allows registered/recognized users (and applications/agents acting on their behalf) to access (read, append, update, delete, create, etc.) information stored in the system. For each user, access is restricted to only the information that he/she is authorized to access and only for the operation(s) that he/she is authorized to perform, Accesses are always initiated by a user or an application program, and information protection ceases as soon as information leaves the information system.
There are two types of access control mechanisms: discretionary and mandatory. Discretionary access control is typically used in commercial systems where information entities (such as records, files, documents, folders, video clips) usually have ownership, and the owner of an entity can specify who can perform what operation on that entity. Such a specification is often called an access control list (ACL), which is essentially a collection of triplets each of which binds together specific user(s), operation(s), and entity/entities. The information entities and operations are particular to a specific information system, whereas the users can be generalized to include user accounts, roles and groups. Typically, the presence of an ACL represents an access authorization. Thus, by default, a user is not allowed to access an entity without an applicable ACL stored in the system, i.e., a triplet that covers the user's request in all three of its components, unless the user is the system administrator or the owner of the entity, or the entity is authorized for "any user". The owner of an entity can create, change, and delete ACLs for that entity at the owner's discretion. A fourth component can also be added to ACLs to specify the condition(s) for an ACL to be in effect, e.g., an activation/expiration date, the time of day, the day of week, an execution environment, etc.
Mandatory access control, on the other hand, is typically used in military systems where information entities do not have ownership. An entity, for example a document, is normally assigned a security classification and a subject category by a security officer. Only users who have a security clearance at the same level as the entity's classification or above, and at the same time have a "need to know" for the entity's subject category, can access this entity. The security classification of an entity can be altered and can expire.
In both cases, the protection mechanism involves two separate activities: one is for privileged users to specify access controls, and the other is to control access by any user to the protected information stored in the system in accordance with access control specifications. These two activities are illustrated in FIG. 1. In fact, the first activity itself involves access control. Although many systems adopt simple, fixed criteria (e.g., an owner or a security officer) to limit access-specification privilege, such a privilege can in fact be granted in a discretionary manner just like an ordinary access privilege. The second activity typically involves a reference monitor 140. When a user or application accesses certain information entities managed by the system, the reference monitor 140 checks the access against the access control specifications 120 that are in effect using an access control model 130 (i.e., a particular method of searching and interpreting the ACLs or mandatory controls) supported by the system. If it is determined that the requested operation (e.g., to retrieve or update certain information) is allowed, the operation is executed. Otherwise it is rejected.
With the advent of network technologies, such as the Internet and the World-Wide Web (WWW), new information systems such as digital libraries have appeared, which not only manage the storage of digital contents but also handle content distribution, both within an enterprise and outside the enterprise. In this case, information protection is no longer confined to a closed information system but needs to extend "down-stream" to handle information that has been distributed over networks, between servers that are under different administration domains, and to client machines on end-users' desktops. That is, an end-to-end protection is needed.
Furthermore, in this end-to-end solution, information not only can be "pulled" by users (i.e., a user-initiated action) in a conventional way, but also can be "pushed" by suppliers (i.e., a supplier-initiated action). Therefore, information protection has to control not only the "access" to information, but also the "receipt" of information and the "use" and the "retention" of received information. Here, usage includes not only browsing and printing but also editing, transformation, replication, redistribution and other operations. Therefore, information protection must be expanded from access control to rights management, that is, the rights of information owners (e.g., authors, publishers), custodians (e.g., distributors, warehouses, libraries), and users. This includes, but is not restricted to, copyrights, terms and conditions specified in license agreements, integrity and authenticity of information, and user privacy.
To provide such protection, the state of the current art is to use a conventional access control mechanism to protect information stored in a system and to provide a separate rights management mechanism to protect information distributed outside an administrative domain using encryption; content marking/finger-printing, digital signature, and other techniques. It should be noted that, while 100% protection of the rights of all parties involved in information distribution may not be feasible with current technologies, it is frequently not needed for many applications. For example, some "leakage" is often acceptable when protection is primarily on economic value rather than on secrecy, especially if a less-than-100% protection scheme allows the system to be more efficient and easier to use, and/or makes content more available, thereby increasing usage.
One design to protect distributed information, is for an information supplier to distribute information entities in encrypted form, such as with IBM Corporation's CRYPTOLOPE scheme as shown in FIG. 2 below. In this manner, information can be distributed freely using any means without loss of protection. A user who wants to use an encrypted entity must obtain the corresponding decryption key to "unlock" the content. This key can be obtained from a clearing center server 220, which can be the information supplier, an authorized agent of the supplier, or a mutually trusted third party who provides the clearing service. A clearing center 220 must verify that the user has satisfied the criteria to receive the entity according to the terms and conditions (T&Cs) associated with that entity (e.g., by paying a fee), before providing the user with the corresponding decryption key. Any business transaction (e.g., payment) can be handled by yet another party.
However, this two-tier (separate access control and rights management) protection method has a number of problems, examples of which are set forth below.
Inconsistent protection between information accessed directly from a base information system and information distributed to users can result.
Rights management can be lost if protected information is distributed to a server which uses a conventional information system and relies on a conventional access control mechanism for protection.
License T&Cs for information acquired from outside sources and stored in an enterprise information system can fail to be enforced.
The clearing center 220, being external to the base information system 200, does not normally have knowledge about the information model, unless such description is replicated on every clearing center for all information entities that have been distributed, which is an enormous task. Such ignorance limits the capability of the clearing center. For example, assume a periodical subscription entitles the subscriber to free and unlimited use of articles and issues covered by the subscription. Without knowing the information model, a clearing center would not be able to determine whether or not a particular entity, such as an issue or article of one of the protected periodicals, is indeed covered by a subscription.