1. Field of the Invention
The present invention relates to computer security. More specifically, the present invention relates to a method for imposing quorum-based access control in a computer system.
2. Related Art
Many organizations have invested a large amount of time and money in developing tools to protect sensitive data. However, many enterprise applications that are used by these organizations share the same basic architecture, which makes them prone to security flaws. These enterprise applications typically include a database, a set of middle-tier servers containing logic that interacts with the database, a set of “sophisticated” security layers, and a set of backdoors that bypass most of the security.
Many enterprise applications share the same set of backdoors. For example, the root accounts on many middle-tier systems, and the operating system accounts used to install the middle-tier systems, can often obtain full access to the system when the systems reboot. This mechanism can potentially be exploited to gain unauthorized access to sensitive data. Additionally, users can often exploit the backdoors to gain access to privileged data accounts that many enterprise applications require for data processing.
System designers cannot completely eliminate these accounts and backdoors in existing systems because many of the backdoors exist to enable important operations. For example, applications often need to “bootstrap,” which involves loading the first few instructions of an application and then using these instructions to load the rest of the application, and this bootstrapping process often requires a backdoor.
Although eliminating backdoors is not feasible in existing systems, a number of techniques exist to mitigate the problems resulting from having backdoors. One technique is to not give root privileges to any user, and to give individual users only permissions to perform limited actions. Although this solution can be effective, many of the operations that the user may need to perform require high-level privileges that make it difficult to completely limit the scope of the user's access. For example, if a user is required to log into a system as root to run a script, there is typically nothing to stop the user from modifying the script to perform any action that he or she wants to perform.
Furthermore, many organizations have practices and procedures in place that require approval from multiple sources before changing computing infrastructure. For example, in order to apply a software patch, an organization may require that two or more administrators approve the installation of the patch. However, this type of requirement is nothing more than an organizational policy. There typically exists no enforcement mechanism to ensure that an administrator secures approval from a second administrator before applying the patch. Thus, a single administrator is not forced to follow the organizational policy and can potentially install malicious software without seeking approval from another administrator.
Hence, what is needed is a method and an apparatus for executing a command on a computer system without the aforementioned problems.