1. Field of the Invention
The present invention relates generally to computing environment security, and more specifically, to a system and method for adapting security procedures based on computing environment activity.
2. Related Art
Since the earliest days of computers, the multi-user environment has been recognized as one in which efficiencies can be gained by allowing one or more computing resources to be shared among a plurality of users. Even in the contemporary world of personal computers, a plurality of users are typically networked or otherwise connected together to allow resource sharing.
One simple example of multiple users sharing resources is a networked computing environment. In the networked computing environment, several computers or workstations are interconnected via one or more local or wide area networks (LANs or WANs) to allow the users to share network resources. In the networked computing environment, users can share network resources such as printers, modem pools, storage space, files and other resources. Users can also communicate with one another and share files electronically via local and remote e-mail.
For as long as there have been multi-user computing environments, there have been concerns regarding the security of such environments. Early security efforts were quite simple by today""s standards and were often limited to point-of-entry security techniques such as requiring a valid user name and corresponding password. Hierarchical structures were implemented to control access to certain files or operations based on a user""s access level.
However, as users became more sophisticated, chinks in the armor of these basic security efforts were quickly uncovered. III-motived users of all ages known as xe2x80x9chackersxe2x80x9d quickly demonstrated the weakness of the minimal user name/password security techniques by breaking or xe2x80x9chackingxe2x80x9d their way into numerous high-profile and/or sensitive computing environments. In response, system developers increased security measures. This increase in security measures was matched by corresponding advances in hacker techniques. So has the relationship between computer, or network, security administrators and hackers continued.
Access of computing resources by unauthorized hackers from the outside is not the only security concern. Also of concern are authorized users attempting to operate beyond the scope of their user authority. In many systems, there are certain files or resources for which access is restricted, or certain administrative or other operations which can only be performed by system administrators. Also, where disk space is shared, users may not be granted access to certain files of other users. Beyond these specifically restricted operations, there may be certain activities of authorized users that may be deemed inappropriate, or may be indicative of inappropriate activities. For example, a user accessing and copying a large number of files may indicate that the user is attempting to abscond with important proprietary information. Thus, the security concerns include effectively restricting an authorized user to have access to files or to perform operations within his or her authority.
The present invention is directed toward a system and method for providing enhanced security features to a computing system such as, for example, a networked computing environment. According to one aspect of the invention, a security policy system allows the creation and implementation of one or more security procedures. These procedures can include, for example, audit policies, collection policies, detection policies, and security policies.
An audit policy is defined and implemented in a networked computing environment to define or identify activities of, or occurrences from, a user, or group of users, to be audited. The auditing performed can include monitoring the networked computing environment for the occurrence of the identified activities for the users or groups of users. The auditing can also include logging the occurrences of audited events. In one embodiment, the occurrences of audited activities or events are recorded in one or more event log files.
A collection policy identifies the frequency with which audited data, or events, are collected and provided to a detection subsystem. The collection policy sets forth the schedule by which audited events are collected from the auditing engine and provided to a detection engine.
A detection policy defines how the audited activities are analyzed to detect a security occurrence. The term security occurrence is used to refer to the occurrence of: one or more instances of an actual or attempted security breach; a potential security breach; suspect, unauthorized, or abnormal activity in the networked computing environment; or out-of-the-ordinary activities or a predefined condition which may indicate a security breach or unwanted activity is being attempted. In one embodiment, the detection policy can identify threshold settings, trigger levels or ranges for the audited activities so that security occurrences can be identified from the collected occurrences of audited activities.
A security policy defines the security practices of one or more resources in the computing environment. For example, the security policy may define criteria such as the number of unsuccessful logon attempts allowed before a system is shutdown or a user""s ID is invalidated, the aging of passwords, the size and type of passwords, the level of access granted to guest users, and so on.
In a computing environment such as, for example, a networked computing environment, a security or system administrator can define the initial security procedures for the computing environment. These can include a definition of one or more of audit policies, security policies, detection policies and collection policies. The definition is usually made based on the level of security desired for the network, considering the overhead associated with monitoring network activities and detection of security occurrences.
According to one aspect of the invention, when a security occurrence is detected, one or more of the policies that make up the security procedures can be modified and the modified policy or policies implemented in the computing environment. According to this adaptive feedback aspect of the invention, policies can be adaptively updated and the updated policies implemented in the network. The updates can be made based on security concerns or procedures in general, or based on an identification of the user or users associated with one or more detected security occurrences.
Additionally, information relating to the type of security occurrence detected can be used in updating and implementing the one or more policies in the computing environment. In one embodiment, the updates to the policies that make up the security procedures can be fully automated such that no intervention by an administrator is required. Alternatively, alerts to an administrator can be provided such that an administrator can be asked to provide feedback or other input to control, monitor or approve the updating of the security procedures.
In another embodiment of the invention, a security or network administrator can establish predefined levels of security upgrade based on the security occurrences detected. In this embodiment, when the security occurrence is detected, one or more of the security procedures are updated to a higher predefined level. According to yet another aspect of the invention, each of the individual security procedures can be set to have a stepwise or incremental increase in security level. Security procedures can also be set to increase to a maximum defined security level upon the detection of a security occurrence. The monitoring, detecting, and policy updating can continue to occur in a cyclical fashion, depending on the circumstances surrounding the security occurrence(s), until some predefined limit or limits are reached, or until an administrator or other authorized personnel intervenes.
One advantage of the invention is that security procedures, including one or more of the associated policies, can be updated automatically upon the detection of a security occurrence. Such an update can be accomplished at a predetermined level and without user intervention.
Another advantage of the invention is that the updates to the policies that make up the security procedures can be determined based on an identification of the user or users associated with detected security occurrences. The updates can also be made based on an identification of the types of activities indicated by the detection of the security occurrences. As such, security procedure updates and implementations can be made based on actual or perceived needs and tailored to specific occurrences. As such, system performance degradation, which would otherwise occur as a result of shifting to a maximum security procedure, can be avoided.
According to another aspect of the invention, custom audit policies can be defined to identify one or more users or groups of users, one or more activities or occurrences associated with the identified users or groups of users, and other activities or occurrences to be audited. One advantage of the custom audit policy is that wild card designators can be used to allow activities or occurrences relating to particular files or types of files to be tracked across a number of diverse computer architectures, irrespective of the specific file structure implemented thereon.
In this document, the term xe2x80x9cuserxe2x80x9d is used to refer to one or more users or groups of users, whether authorized or unauthorized. The term xe2x80x9csecurity administratorxe2x80x9d refers to a user having rights to oversee or adjust the security aspects of all or part of the computing environment and can include, for example, a system administrator or a network administrator.