1. Field of the Invention
This invention pertains in general to data communications and processing and in particular to enforcing security policies in heterogeneous systems.
2. Description of the Related Art
As computers and networks proliferate, and become more powerful and affordable, a growing number of enterprises are using them both to perform critical tasks and manage sensitive information. However, the convenience provided by computers and networks is leading to easy access to confidential information. Often, confidential information is distributed among multiple enterprise computer systems (e.g., a document management system, an email system, a web server). The proliferation of the confidential information across multiple systems creates a security risk because it increases the number of people that can access the information.
This easy access to confidential information is problematic because there are many reasons why an enterprise might wish to restrict access to the information. For example, the enterprise might need to enforce ethical screens in order to prevent conflicts of interest. Likewise, the enterprise might desire to restrict certain information, such as financial data, to only people that need to access it. Because the information subject to restriction can be distributed in several systems, the access restriction needs to be enforced universally in order to be effective.
One approach to enforcing a universal security policy across multiple systems is to manually configure the security component of each system to enforce the universal security policy. For example, the administrators need to configure one set of local security rules for a document management system, a different set of rules for an email system, and another set for a directory service. The local security rules for different systems can be different, even if they reflect the same universal security policy. Because each of the security components is tailored to work for a specific system, any update of the universal security policy would cause the administrators to reconfigure the security component of each system, thereby increasing the risk of human errors. Also, because the universal security policy needs to be enforced across all systems within the organization, as the complexity of the universal security policy grows, manual configuration becomes impractical.
Alternatively, some applications try to enforce a universal security policy across multiple systems by installing a module in each of the multiple systems. The module enforces the universal security policy by filtering the traffic of the associated system and blocking those that violate the universal security policy. This approach slows down the network traffic and causes the performance of the systems to suffer. Also, this approach is inefficient because the modules do not utilize the security component provided by the associated system, which tends to be more efficient because it is integrated into the system. Further, the information within an entity is ever changing: employees and customers come and go, and emails and documents are created and modified constantly. Unless the universal security policy is updated to reflect the changes and enforced by each of the modules in real time, people may improperly access unauthorized information.
Therefore, there is a need in the art for a way to enforce a security policy across multiple systems.