Abstract: A method to enforce compliance with multiple-person-control rules in a secure-computing system to protect against the insider threat. The method can be patched onto an existing secure computer systems to provide granular control of any type of resource request. Existing user-user access controls are configured to prevent users from gaining unfettered access. Tasks requiring higher privilege, such as system administration, are performed under the present method of multiple-person controls, using digital signatures of resource requests to provide a separate layer of protection. A script running with sufficient privilege executes resource requests requiring privilege elevation, but only after validating a first digital signature signed by a requester and validating one or more additional digital signatures signed by reviewers. To detect playback attacks, a nonce can be included in the signed message and compared with nonce values from previously processed resource requests.

Abstract: A method to enforce compliance with multiple-person-control rules in a secure-computing system to protect against the insider threat. The method can be patched onto an existing secure computer systems to provide granular control of any type of resource request. Existing user-user access controls are configured to prevent users from gaining unfettered access. Tasks requiring higher privilege, such as system administration, are performed under the present method of multiple-person controls, using digital signatures of resource requests to provide a separate layer of protection. A script running with sufficient privilege executes resource requests requiring privilege elevation, but only after validating a first digital signature signed by a requester and validating one or more additional digital signatures signed by reviewers. To detect playback attacks, a nonce can be included in the signed message and compared with nonce values from previously processed resource requests.