Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Context dependent security

IP.com Disclosure Number: IPCOM000149844D
Original Publication Date: 2007-Apr-10
Included in the Prior Art Database: 2007-Apr-10
Document File: 3 page(s) / 114K

Publishing Venue

IBM

Abstract

With today's security systems the rules governing the validation are static and are equally thorough for all users. This results in the administration of the security system having to apply the 'worst case' security rules in all occasions. These rules then apply to all users of the system, whether trusted employees or unknown Internet users, resulting in a significant administration overhead and in overly-rigid security rules for trusted employees. This invention applies 'context' to the usual security considerations, in order to apply the appropriate level of security checking according to the classification of user.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 53% of the total text.

Page 1 of 3

Context dependent security

With today's security systems (authentication and authorization) the rules governing the validation are static and are equally thorough for all users. This results in the administration of the security system having to apply the 'worst case' security rules in all occasions. For example, if an airline reservation system is to be accessed by users external to the airline company, stringent authentication and authorization policies have to be put in place to ensure that no malicious use is possibile. These rules then apply to all users of the system, whether trusted employees or unknown Internet users, resulting in a significant administration overhead and in overly-rigid security rules for trusted employees.

     This invention applies 'context' to the usual security considerations, in order to apply the appropriate level of security checking according to the classification of user. If, for instance, a user is known to be connecting from within the context of a secured area, then the authentication of the user has already taken place through access to the secure area, and need not be re-enforced by the application. This allows for authenticated company employees to access systems without stringent userid and password authentication, or with a default level of authorization superior to that of external users.

There may be multiple levels of context, associated with multiple levels of security checking.

In addition, in the cases where userid and password (or any other method of authentication) is always required, an additional level of security may be applied (e.g. access can only be granted from within company offices). This protects from cases where authentication data is discovered by malicious users and even from brute force attacks from external.

     The diagram shows an example of the application of the idea to...