Multi-party authorization (MPA) is a process to protect a telecommunications network, data center or industrial control system from undesirable acts by a malicious insider or inexperienced technician acting alone. MPA requires that a second authorized user approve an action before it is allowed to take place. This pro-actively protects data or systems from an undesirable act.
Architecture
Existing methods to protect data and systems from the malicious insider include auditing, job rotation and separation of duties. Auditing is a reactive method meant to discover who did what after the fact. Job rotation and separation of duties are limiting techniques meant to minimize prolonged access to sensitive data or systems in order to limit undesirable acts. In contrast, MPA is a pro-active solution.
An advantage MPA has over other methods to protect from undesirable acts by a malicious insider or inexperienced operator is that MPA is pro-active and prevents data or systems from compromise by a single entity acting alone. MPA prevents the initial undesirable act rather than dealing with a breach or compromise after the fact.
Application
Multi-party authorization technology can secure the most vulnerable and sensitive activities and data sources from attack by a compromised insider acting alone. It is somewhat analogous to weapons systems that require two individuals to turn two different keys in order to enable the system. One person cannot do it alone. Another example is to consider access to a lock box in a bank. That access requires multiple parties, one the lock box owner and another a bank official. Both individuals act together to access the lock box, while neither could do so alone. MPA, in like manner, ensures that a second set of eyes reviews and approves of activity involving critical or sensitive data or systems before the action takes place.
Multi-party authorization is suitable for a wide variety of applications. MPA can be implemented to protect any type of sensitive data in electronic form or any activity within a network infrastructure or computerized control system. An electronic health record is an example of a data record that could be protected by MPA. Multi-party authorization provides pro-active protection from undesirable acts by the inexperienced technician or malicious insider.
References
US Patent 7,519,826, issued: April 14, 2009 for "Near Real Time Multi-Party Task Authorization Access Control"
Further reading
IT BusinessEdge, Nov 25, 2009 "Protecting From the Malicious Insider: Multi Party Authorization"