The invention disclosed herein relates generally to methods for providing access to secure computer systems. More particularly, the present invention relates to a system and method for using a first system to provide access to one or more secure, external systems by providing the best matching security information to the external systems.
Organizations often have computing environments comprising a number of different systems. Generally, security measures are employed to restrict access to the different systems, such as requiring a user to provide a distinct set of credentials (e.g., a user ID and password pair) to each system. Although such security measures increases the integrity of individual systems, they impede the ability of the individual systems to work together.
For example, a user may operate an application from a first system to create a document which incorporates data contained in a database of a second system. Absent security measures, the first system may simply communicate with the second system to receive the data needed to create the document. However, where security measures protect each system, the first system would need to first satisfy the second system's security measure predefined for the specific user prior to receiving the needed data.
Standards, such as X.509, exist which define how systems may exchange security information thereby allowing secure systems to communicate with each other. However, such standards have significant drawbacks.
For example, all systems involved must support the standard, i.e., they must all exchange security information according to the manner defined by the standard. Legacy systems often operate with their own security protocol, e.g., definition for receiving security information and providing access to external systems based on the received security information. For such legacy systems to be able to support a standard, such as X.509, significant code changes would be required.
Another drawback of such standards is their limited flexibility. In addition to limiting access to only authorized users, security measures can be used to define the level of access for those users, e.g., one user may be authorized to access the entire system while another user may only access a single database. Standards, such as described above, typically support only a single set of credentials per user per system. However, it may be desirable for the same user to have multiple sets of credentials, and thereby multiple levels of access, for the same system.
There is thus a need for a system and method for allowing a user to provide security information only once in order to access multiple secure systems that have distinct protocols for receiving security information and providing access to external systems based on the received security information without altering the secure systems to which access is desired. Also, there is a need for such a system and method to support using multiple sets of security information per user to gain access at varying levels to the same secure system.