Computer systems of all types, including networks, routers, switches, mainframes, personal computers, smartcards or other data processing systems, often contain data or applications that are confidential or otherwise are subject to limited access. Access to these objects may be controlled through a security policy which prohibits access by a user, whether it be a person, a person within a defined group, another computer or other computer program, unless that subject has the proper authorization. That is, two states exist: either a request for access is granted or it is denied. Factors in a valid authorization include verifying the subject's identity and authorizing the right of access to given objects and/or processes. These factors are known in the art as verification and authorization, respectively, and may be unique to each subject.
Arbitration is the process of determining whether an authenticated subject has valid access to a given object. Arbitration is typically implemented on a compulsory basis requiring all users in a secure environment to be constrained by the same security policy in a non-refutable manner; access is either denied or granted.
It is sometimes desirable to implement a new security policy. The change may be made to implement a security policy where none existed before, to update an existing policy with more robust security criteria or to change existing criteria. If a system has a large number of subjects and objects, however, it may be difficult to implement a new security policy because each subject and object has its own unique security profile. Ensuring that security information for all subjects and objects have been updated to satisfy the new security criteria may not be practical. One factor is that the identity of all subjects may not be known. Or, it may be difficult to ascertain which users should have access to which objects. The result is that many users may be blocked from accessing previously-accessible objects when a new security policy is implemented all at once across a system. This severely and unacceptably limits use of the system until each user has been individually identified and then given access rights that satisfy the new security criteria.
It is desirable, then, to be able to implement a new security policy across an entire data processing system without inadvertently denying access to a number of valid users. This can be achieved by arbitrating access to a secured system in a new manner: a tertiary state (in addition to access-granted and access-denied) is created wherein the new security policy co-exists with the prior security policy. That is, a state is created in which access is not granted freely, but ultimately not necessarily denied. During the transition from old to new security policies, users having access rights satisfying the previous criteria may be allowed access until those rights can be updated to satisfy the criteria of the new policy. This eliminates the period during which valid users are denied service until their rights are modified to satisfy new criteria.
The arbitrated access may be an audited event, purely for notification or to ensure appropriate response by a security administrator or user. At no point is the security less restrictive than the prior policy, as the previous security policy remains in effect for all arbitrated activity that does not satisfy the criteria of the new policy.