Computer security is imperative in this information age. Protecting sensitive computer data from unauthorized access is one of the most important and daunting tasks faced by computer experts, businesses and government agencies. One way of protection is checking access to a specific application area. For example, checking access to a table, a form, a web resource or a business transaction. Existing systems sometimes provide a framework to govern the access to the application while the frame has no knowledge about the protected application, its sensitivity or business relevance. Another way of protection is implementing security controls in applications to require a user to possess certain authorizations to access data (e.g., the user is required to be in a certain role or has a specific authorization object.
However, not all applications in a computer system are protected and the level of protection of different applications are different. In particular, custom built applications need to follow the same steps in order to ensure an adequate level of protection. But the development process is mostly tedious and not always documented. Further, there is a gap between the authorization enforcement point and the business resource to be protected. While this link is missing, there is also no way to link the enforced authorizations with the users' responsibilities. In essence, it is impossible to technically verify that the actions performed by a user are in correspondence to the user's business responsibilities. Another consequence is that it is not possible to reliably determine the minimal authorizations that are to be assigned to a user, in order for this user to perform a specific business function.
Moreover, nested applications (layers of applications) brings further complications. In one approach for the nested application, the authorizations are enforced only on the entry level of the application; the consequence is that the knowledge about the resources accessed in the deeper level of the nested applications is lost. In another approach, the authorizations are enforced in all levels of the nested application; in this case the user needs extensive authorizations, which both make administration tedious and endanger the system security, because the user might directly access resources that should only be modified as reaction to the change of another resource (e.g., the application log or change documents).
Traditional computer security audit does not help to link the authorization enforcement point and the business resource to be protected. A computer security audit has been the traditional way to assess adequacy of security protections of a system or application. The security audit can be manual or automated. The manual assessments often include interviewing staff, performing security vulnerability scans, reviewing application and operating system access controls, and analyzing physical access to the systems. The automated assessments, or Computer Assisted Auditing Techniques (CAAT), often include system generated audit reports or using software to monitor and report changes to files and settings on computer systems (e.g. personal computers, servers, mainframes, network routers, switches) or software applications (e.g., web services, database servers).
One way of a security audit is implemented by an extensive analysis of the various log files reflecting the access history to a system. In fact, provided there is any central authorization enforcement authority in the system, the easiest way to generate a security relevant trace is to record all authorization decisions undertaken by this central authority. But this approach is backward oriented, and can give only limited information about the potential risk state of the system. The fact that no business data misuse has taken place does not necessarily mean that this is not possible in a given system or application setup. This approach cannot mitigate the gap between the authorization enforcement point and the business resource to be protected.
Another approach of security audit is to systematically assess the organization's security policy and of the way it is applied at a specific site. However, using this approach, security auditors typically require full knowledge of the organizational structure, of the processes employed and of the resources to be protected. Often, considerable inside information is required in order to understand the processes involved in accessing the business data. Further, auditors and systems speak different languages. The auditors have a thorough understanding of the resources to be protected. This understanding is expressed in business terms, like general ledger, financial account, and customer data. The exigencies of efficient data storage and access lead to this data never being directly and entirely mapped to some dedicated identifiable database element. On the other side, identifying the access paths to this data is required in order to be able to judge its efficient protection during an audit. Given the dynamic nature of computer configurations and information storage, this means that the auditor must keep up with the internal makings of every audited application, just in order to identify the paths for accessing the resource. Although an audit can verify that each user is assigned to authorizations commensurate with their job responsibilities, it is difficult to decide which authorizations are required for performing a job. This approach cannot mitigate the gap between the authorization enforcement point and the business resource to be protected, either.
Therefore, there is a need for a system and method that provides a mechanism to translate the business data to assignable authorizations.