13.10 Policy-Based Security

With today’s LAN administration tools, security goes far beyond mere password protection to include implementation of a policy-based approach characteristic of most mainframe systems. Under the policy-based approach to security, files are protected by their description in a relational database. This means that newly created files are automatically protected, not at the discretion of each creator, but consistent with the defined security needs of the organization.

Some products use a graphical calendar through which various assets can be made available to select users only during specific hours of specific days. For each asset or group of assets, a different permission type may be applied: permit, deny, and log. Permit allows a user or user group to have access to a specified asset. Deny allows an exception to be made to a permit, for example, not allowing writes to certain files. Log allows an asset to be accessed but stipulates that such access will be logged.

Although the LAN administrator usually has access to a full suite of password controls and tracking features, today’s advanced administration tools also provide the ability to determine whether or not a single login ID can have multiple terminal sessions on the same system. The LAN administrator can also specify an enforcement action to be taken when a user’s login ID exceeds the system limit for violations, such as:

• Cancel: The access attempt is denied, and the process that attempted the unauthorized access is canceled.

• Log out: The access attempt is denied, and the process group and all child processes associated with it are canceled. If a logged-in user is associated with the attempt, he or she will also be logged out.

• Suspend: The access attempt is denied, and the process group and all associated child processes are canceled. In addition, the login ID is suspended and the user locked out of the system until explicitly lifted by the LAN administrator.

Through the console, the LAN manager can review real-time and historical violation activity on-line, along with other system activity.