1. Field of the Invention
The invention relates to remote access to computer systems. Specifically, the invention relates to apparatus, systems, and methods for authorized remote access to a target system.
2. Description of the Related Art
Remote access to computer systems has generally been a desired feature of computer systems since computers began communicating with each other over communication networks. Remote access often saves a remote user time, travel, and other expenses involved in physically visiting a computer system. Remote access allows the remote user to interact with a computer system as though the user were using interface devices such as monitors, keyboards, and mice that directly connected to the computer system.
Remote access over communication networks may include a dialup connection over a telephone network, a terminal interface, or a network connection over a Local Area Network (LAN), a Wide Area Network (WAN), the Internet, or the like. Generally, the more geographic area the communication network covers, the more open the communication network is to remote connections from unauthorized remote users. Consequently, the more open the communication network is, the more the security of information passing over the network is a concern.
Generally, security systems for remote access involve a user ID and a password. Certain security systems may include multiple user ID and password interfaces before the remote user may remotely access a target system. However, the number of user ID password interfaces is balanced against the usability of the target system by remote access and the importance of the data or target system being protected. Having too many user ID/password interfaces may cause remote users to shun remote access due to the inconvenience.
One example of target systems that provide remote access is data storage and management systems. Businesses and large institutions such as governments rely heavily on computer systems that involve large amounts of sensitive data. The sensitivity of the data may relate to the privacy of individuals and/or trade secret information. Generally, one or more data storage systems comprising multiple storage subsystems manage the data. One example of such a storage system is a Virtual Tape System (VTS) available from International Business Machines™ of Armonk, N.Y. Typically, the VTS cooperates with an automated tape library (ATL) to provide large capacity primary or secondary storage.
Typically, remote access is provided to these data storage and management systems such that a manufacturer of the data storage system may readily monitor, service, or maintain the data storage system. Conventionally, due to the sensitivity of the data, owners of the data storage system are hesitant to allow anyone, including data storage system manufacturers, remote access to the data storage system. Some may require that all maintenance, service, and performance monitoring be performed on-site. Others may require that remote access only be provided in response to authorization granted by on-site system operator. Certain owners may require that the manufacturer only conduct remote access over a secure intranet. The owners seek to limit the exposure of the data storage system to threats of remote access by unauthorized remote users. In addition, it may be desirable that the actions of remote users be limited once a remote connection is made and traceable to determine where security vulnerabilities may lie.
Unfortunately, perfectly secure remote access is difficult to achieve. As mentioned above, conventional systems may require a remote user to provide a login ID and a password. However, the user ID and password may be generic and known to a number of technicians employed by the manufacturer to service a particular target system. The more people who know the user ID and password, the higher the risk that unauthorized users may learn the user ID and password.
Certain unscrupulous remote users may intentionally or accidentally disclose the user ID and password to an unauthorized third party. Confirming that the remote user providing the user ID and password is in fact an authorized remote user may be difficult. In addition, previously authorized users who know the user ID and password may become unauthorized due to misconduct, change in assignment, leaving the employ of the manufacturer, or the like. Conventional data storage systems do not provide an easy mechanism for revoking authorization from previously authorized remote users.
In addition, providing a single user ID and password may provide unrestricted access to the entire target system including subsystems. Typically, the actions of the connected remote user are not tracked. In addition, unsuccessful attempts to connect to the target system are also not tracked.
Accordingly, what is needed is an apparatus, system, and method to overcome the security risks of conventional security systems. In particular, the apparatus, system, and method should require a remote user to provide a plurality of passwords and/or user IDs. The apparatus, system, and method should provide restricted remote access to functionality of the target system. The apparatus, system, and method should track actions of remote users for both successful remote connections and unsuccessful remote connection attempts. The apparatus, system, and method should securely provide a random password to a remote user wherein authorization for the random password expires. In addition, the apparatus, system, and method should confirm that the remote user entering user identifiers and passwords is in fact still an authorized individual at the time remote access is attempted. Such an apparatus, system, and method are provided herein.