Connectivity, functionality and security are conflicting objectives in the application environment of organizations. Typical modern implementation of computer applications allows users to execute a wide range of applications, and offers various services, in order to meet the needs of a modern organization. Unfortunately, the need for providing a wide range of application services to many users can render these services vulnerable to attack or misuse by external entities, such as hackers, or unauthorized entities.
Currently, securing computer applications and services involves the manual setting of a security policy, which is based on “best practice” guidelines, and prior knowledge of the applications, or services, and networks involved. Special security applications have been developed in order to provide the system manager with the ability to enforce the security policy, or to detect unauthorized flaws, use, or operations. Some security applications are network-oriented, with the intention of enforcing security within the network domain. Examples of such network-oriented security applications are: The “Firewall” by Checkpoint Inc., Symantec Inc. There have been also introduced application-oriented security packages, which are intended to enforce and ensure a security policy within the application domain. An example of such an application domain security packages is, InterDo by KaVaDo Inc. Normally, the applied security policy heavily depends on, and is affected by, the administrator's security skills and knowledge of the application, the network, the services and the entire environment.
Means, which hereinafter will be referred to as “security scanners”, or more generally, “trusted sources”, are also known in the art, and are used for checking whether the computerized environment complies with the security policy as set. Each of these scanners or trusted sources is generally compatible with one security package. The scanners test and challenge the domain which is protected by the security application, and provides a report regarding the flaws found and the identified attributes. Thereafter, it remains to the administrator to translate the report, and to correct whatever is needed. The correction of the reported flaws and identified attributes heavily depends on the skills of the system administrator. More particularly, the correction many times requires programming-oriented skills, which the average system administrator lacks.
Another aspect of this problem is the fact that computerized environments are very dynamic. New users are introduced to the environment, others eliminated, new applications or hardware introduced or removed, and most importantly, the applications themselves are in many cases dynamically amended or changed by programmers or users within the environment. The system administrator often does not have full control over all these rapidly occurring changes, many of them being reported afterwards, if at all. As a result of the above-described situation, current security policies are rather statically enforced, and the applications and the environments remain vulnerable.
It is an object of the present invention to provide a system and method for constantly or periodically checking the compliance of the application and its environment to the security policy enforced, to detect and verify incompatible security flaws and attributes, and to automatically or semi-automatically correct and eliminate said flaws.
It is another object of the present invention to associate said system and method with the security applications operating within the computerized environment.
It is still another object of the present invention to provide means for dynamically checking and correcting each specific security policy which is enforced by any of the security applications operating within the computerized environment.
It is still another object of the present invention to provide said tasks in a simple and efficient manner.
It is still another object of the invention to provide means which can effectively receive indications and reports of flaws from security scanners or other trusted sources, and to correct the same in an automatic or semi-automatic manner.
Other objects and advantages of the invention will become apparent as the description proceeds.