1. Field of the Invention
This invention relates to computer security. More particularly, this invention relates to the automatic detection of atypical data access behavior in organizations having a diversity of file access control models.
2. Description of the Related Art
Data security policies typically determine who has access to an organization's stored data on various computer systems. These policies cannot be static. Users from within the organization, e.g., employees, partners, contractors, can pose a threat as severe as threats from outside the organization. Thus, as the structure and personnel makeup of the organization change, the security policy should be adjusted from time to time. Yet, information technology (IT) departments lack effective tools to manage user access rights and to ensure that needed information is conveniently available, while still protecting the organization's sensitive data.
Current techniques available to IT personnel include review and maintenance of access control lists, in conjunction with administration of user names, passwords, and the extension of such techniques to include biometrics, encryption, and limitation of access to a single sign-on. Such techniques are inefficient, often inaccurate, and become impractical in the context of large, complex organizations whose structure and personnel are constantly changing.
Aids to security are available for enterprises using particular operating systems or environments. These are often based on role-based access control, a technique that has been the subject of considerable interest for the last several years by governmental organizations, and has more recently been adopted in commercial enterprises. A typical proposal for role-based access controls in a multi-user SQL database is found in the document Secure Access Control in a Multi-user Geodatabase, Sahadeb De et al., available on the Internet at the URL “http://www10.giscafe.com”.
Nevertheless, access control technologies have not been optimally implemented in enterprises that utilize diverse access control models. The state of the art today is such that there is no easy way for system administrators to know who is accessing what in such environments. As a result, in many organizations an unacceptably high proportion of users have incorrect access privileges. The related problems of redundant access rights and orphan accounts of personnel who have left the organization have also not been fully solved. Hence, there is a need for an automatic method for controlling user file permissions in order to improve data security, prevent fraud, and improve company productivity. Furthermore, misuse of data access, even by authorized users, is a concern of those charge with maintaining system security.