The invention is related to the field of computer system security.
Existing computer systems typically employ a variety of security-related functions for protection against potentially harmful user activity. For example, user authentication is often employed which requires a user to provide a password or other credential which establishes the user's identity, protecting against the possibility of an intruder masquerading as an authorized user and engaging in harmful activity. Another type of function, referred to as access control, enforces limitations on the activities that authorized users can engage in. In one common example, access controls may be placed on certain storage devices or file system directories so that only certain users are permitted to access the data therein. Such access controls can serve to protect sensitive data from being accidentally deleted or used for an improper purpose by a user who has no legitimate need for access to the data. One dimension of access control may regard a type of user. Users can include typical or “non-privileged” users, who simply use a system, and administrative or privileged users who engage in more sensitive operations such as configuring a system or taking other system-wide action. Privileged users, who are normally selected in part based on perceived trustworthiness, are by definition granted greater access to system operational functions than is granted to non-privileged users.
A computer system may range in complexity from a single computerized device (e.g., a personal computer or standalone server computer) to a large network of numerous interconnected computerized devices. Security functions may be applied at the level of an individual computer or system-wide. In one pertinent example, a so-called storage area network or SAN is a specialized computer system having server-type host computers and large-capacity storage systems connected by a high-bandwidth data network. A SAN is typically managed using a SAN management application (executing on a management station, for example) and management agents executing on managed components within the SAN (e.g., hosts, storage systems, network switches, etc.). Management functions may include sensitive operations such as dismounting a disk drive, making it unavailable to applications executing on the host computer(s) of the SAN. Security functions may be used to ensure that a user is properly authenticated and has proper access privileges before the user is permitted to initiate such a sensitive operation.
A technique known as multi-factor authentication has been used for improved security in certain settings, notably for web-based services such an online banking. These techniques are directed to verifying the identity of a user, taking into account things like a network address of a computer being used by the user, a time of access, type and size of financial transaction, etc. Pertinent data is gathered and provided to a multi-factor authentication system that uses a rule-based approach to assessing whether a user is permitted access to a system based in part on the circumstances of the access.