Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Automated Compliance Checking

IP.com Disclosure Number: IPCOM000029792D
Original Publication Date: 2004-Jul-13
Included in the Prior Art Database: 2004-Jul-13
Document File: 2 page(s) / 46K

Publishing Venue

IBM

Abstract

An efficient compliance checking for the status of many computer devices in a network is described. In order to check compliance for such a network usually an auditor has to inspect all devices, has to ensure that they are all in a compliant state, and that all audit logs are untampered and acceptable. It is proposed to introduce a trusted third party (TTP) acting as owner of all devices.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 1 of 2

Automated Compliance Checking

This article relates to the problem of efficient compliance checking for a large, possibly interconnected number of devices (computer, image on a virtualized computer, any device with computing power). In order to check compliance for such a network an auditor has to inspect all devices, has to ensure that they are all in a compliant state, and that all audit logs are untampered and acceptable. One way to simplify this task is to "seal" all devices once they have been found in a compliant state, and design the overall system that it cannot violate any compliance rules unless a seal is broken. For a computing device this means that the owner of the device cannot perform arbitrary actions on the device anymore, i.e., the device is enforcing a policy against the owner.

One way to implement this is integrity-based computing, which is a concept promoted by IBM based on the specifications under development by the Trusted Computing Group (TCG). Using technology based on the TCG specifications the auditor can poll each device and ask it to prove that it is still compliant (i.e., as compliant as it was when it was sealed).

While being useful for compliance checking and many other applications, restricting the owner also creates certain problems. For instance, in emergency situations it might be preferably to give the owner full freedom of action even if this means that the system gets into a non-compliant state. Also maintenance might require violating compliance rules. To handle such situations it has been proposed to modify the TCG specifications such that the owner of a device can decide at any time to break the seal. Doing this would be visible, i.e., from then on any proof given by the device would mention the fact that the owner has broken the seal (which implies that the owner could cheat and violate any policy).

This approach still has the problem...