1. Field of the Invention
The present invention relates to an improved data processing system and, in particular, to a method and apparatus for computer security.
2. Description of Related Art
Computer security tools provide defensive mechanisms for limiting the ability of malicious users to cause harm to a computer system. Software-based intrusion detection applications can alert a computer administrator to suspicious activity so that the administrator can take actions to track suspicious computer activity and to modify computer systems and networks to prevent security breaches.
Many security breaches to computer systems, however, occur through neglect or forgetfulness of human beings that render computer systems physically vulnerable because they are physically available for unauthorized use. For example, a user may remain logged on to a computer workstation while away for lunch, and the unattended computer in the user's office is open for use by unauthorized persons. Even though a user's account or device may automatically logoff after a certain period of inactivity, there remains a period of time during which an unauthorized person may gain access to the user's account for malicious activity. Similar situations require greater physical control over vulnerable devices.
In addition to asserting better security practices over unattended devices, there are many situations in which security practices could be improved over attended devices, i.e. computational resources that are actively being used by someone yet still need to be protected from unauthorized use or observance. For example, some organizations, particularly government agencies and military departments, implement various types of security procedures over personnel. Different individuals within a single organization have different duties, and various levels of security clearance or various types of compartmentalized security access are given to individuals within the same organization in accordance with the duties of those individuals. In many cases, two persons within the same organizational unit might not be authorized to view the information that is handled by each other. These organizations can implement different security procedures over computer systems that reflect security procedures that are applied to different personnel; for example, each person is only authorized to access the computational resources that are necessary for his or her particular job.
Although many security breaches to computer systems occur through neglect or forgetfulness of human beings that render the computer systems physically vulnerable, many security breaches occur when human beings render those computer systems computationally vulnerable through risky computational activities. These risky computational activities increase the chances that a computer will be subject to a malicious attack or computer virus infestation. Many risky computational activities are performed knowingly. In some cases, risky computational activities are performed knowingly in an authorized manner, while unfortunately in many other cases, risky computational activities are performed knowingly in an unauthorized, negligent, or reckless manner.
For example, a person may frequently operate a computer without an active firewall. Even though certain security procedures can be automatically implemented to prevent such situations, a person may require a specifically configured computer that is unencumbered by certain computational security defenses. In some situations, in order for an employee to perform a specific work task, the employee may require a specific computer configuration, such as an inactive or disabled firewall. Hence, this person may operate the computer without an active firewall in an authorized manner. In other situations, though, a person may frequently disable a firewall in order to illegally downloading music or video content, which may be some of the activities that would be prevented by the firewall. Hence, this person may operate the computer without an active firewall in an unauthorized manner. Moreover, the computer may also be rendered vulnerable by a failure to check the downloaded files for viruses.
Even though a person may actively thwart computer security defense mechanisms in an unauthorized manner, there may be legitimate reasons for tolerating certain computer vulnerabilities with respect to the computational activities of some persons. In these types of situations, as noted above, an organization can implement different security procedures over computer systems that reflect security procedures that are applied to different personnel. However, the computational activities of one person may render the computational activities of another person vulnerable because most computers operate within a networked data processing system, and many malicious vulnerabilities, e.g., viruses, can be spread through network connections from computer to computer.
Hence, there is a need to ensure that the activities of one user within a networked computational environment do not jeopardize the activities of another user. More specifically, there is a need to ensure that a computational vulnerability that is tolerated by a first user, whether authorized or unauthorized, does not introduce problems into a networked computational environment, particularly in those cases in which the computational vulnerability can spread to a second user's computer that was actively attempting to defend itself against the computational vulnerability.
Therefore, it would be advantageous to improve computational security over a data processing system by allowing computer security procedures to continue to be implemented in a flexible manner with respect to different users yet ensuring that the computer security procedures that are implemented or activated with respect to one user do not cause computational vulnerabilities for another user.