JP2007172366A - Storage device management device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To manage a storage device connected to a computer, such as a removable disk, a built-in hard disk, a flexible disk and a CD-R/DVD drive, while almost all of information leakage which is a problem in a company is sampling of data by persons concerned now that various storage devices are widely used and it is the problem caused since the computer is often shared inside the company. <P>SOLUTION: By managing access to the storage device by a management device and arbitrarily setting inhibition/permission respectively for read/write and whether or not to perform ciphering, data are prevented from being taken out to the outside. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

   The present invention relates to information leakage prevention caused by taking out data from a computer.

   At present, various media such as USB memory, CD-R, and memory card are widely used as storage devices in addition to hard disks.

Along with this, information leakage caused by the extraction of data by related parties has become a problem in companies.
Patent application number 2003279854

   With the widespread use of various storage devices, most of the information leakage that has become a problem in companies is the extraction of data by related parties. This is a problem that has arisen due to an increasing number of companies using computers in common.

In addition, the development of portable storage devices has made it easier to carry data, but there is a risk that important data such as personal information can be easily extracted. The Personal Information Protection Law has been enacted, and companies have been challenged to strengthen security against information leakage.

The present invention relates to a removable disk, a built-in hard disk, a flexible disk, a CD-
It manages storage devices connected to computers such as R / DVD drives. The management device manages access to the storage device, and prohibits / permits for each read / write,
Further, it is possible to prevent data from being taken out by arbitrarily setting whether or not encryption is performed. FIG. 1 shows an overall configuration diagram. The management device is implemented as an extension of the disk management system provided by the OS. Hereinafter, since the disk management system is a standard function of the OS, it will not be described. The disk management system is included in the OS
And

   According to the present invention, storage devices can be managed and read / write permission and prohibition can be set for the connected storage devices.

Restricting the inflow of malicious programs from outside by prohibiting reading.
Restrict data leakage by prohibiting writing.

If the storage device is lost by encrypting and writing, the storage device cannot be read from another computer system. Then, unauthorized setting changes by third parties are restricted by physical switches that prohibit and permit these setting changes.

   FIG. 7 shows an embodiment of the apparatus of the present invention. The removable device is used as a physical key, and the state of whether or not the removable device is inserted into the computer system is handled as a physical switch.

With these two values, the change of the setting of the management apparatus is prohibited and permitted. In FIG. 7, a USB (Universal Serial Bus) memory is used as an example.

   12 to 16 show operation screens of the present invention. Hereinafter, each mechanism will be described from the description of each screen.

FIG. 13 is a control screen of the present invention. Here, the switch and the storage device for enabling the present invention
And a physical switch management function according to claim 5. Each switch saves its contents in a computer storage device and maintains the contents.

S131 is an additional function that enhances the convenience of the present invention. When S131 is on and S71 is connected to S72, computer mouse and keyboard input is prohibited to protect the computer system.
S132 is a switch for prohibiting the display of the management screen. This is a safety device that prevents people other than the administrator from changing this setting. As will be described later, in the present embodiment example, an administrator physical key that permits all operations of the present invention to the physical switch of S71, and a general physical key.
Two types are available. When this switch is on, this screen cannot be called by the user for a general physical key. Unauthorized users should not change the settings of the present invention.
It is a safety device prepared.
When the switch of S132 is ON, the setting change of this apparatus is permitted only when S71 is connected to S72.

   S134 is a button for managing S71. When the button is pressed, a physical key registration screen shown in FIG. 15 is called. By pressing this button switch, the control screen changes to FIG.

  S133 is a button for calling FIG. 16 which is a security setting management screen. By pressing this button switch, the control screen changes to FIG.

   FIG. 15 shows a management / registration screen of a physical key (hereinafter referred to as a physical key). In the present invention, the entire management apparatus is protected by a protection switch linked with a physical key. The protection switch assigns the entire protection / release value to ON / OFF. Each switch stores its contents in a computer storage device and maintains the contents.

  The physical key is a USB device used as S71.

There are three types of physical keys: an administrator main key, an administrator spare key, and a general key.
There is one administrator main key and one administrator spare key, and the general key is NO. 1 to NO. Up to 18 can be registered.

  The administrator main key and the administrator spare key are physical keys for management. When these keys are connected, the mechanism of FIG. 13 can always be invoked and executed.

   The general key is a key that restricts the setting change function of the present invention. Details are omitted because they are not directly related to the claims of the present invention.

S151 is a registration button of the USB device. When the USB device is connected by pressing this button, the unique identification information of the currently connected USB device is read and registered as a physical key to be used in S71.
The unique identification information has a mechanism for storing it in the memory in the form of a table shown in FIG. It is assumed that n in FIG. 17 represents 20 here.

S171, S172, S173, and S174 have a function of storing in a storage device as many tables as can be registered as keys that can be used as S71. In this embodiment, the first and second tables are allocated as manager keys. The actual general keys are the third to twentieth keys. Con
When a USB device is connected to a computer, a mechanism is provided for authenticating as S71 when the USB identification information matches with this table.

  The unique code of the storage device used for identification by the management device according to claim 4 is an arbitrary combination of a serial number, a vendor ID set for each USB device, and data written to the storage device.

The serial number is a unique code adopted by the US Microsoft OS. This data is created and stored by the OS when the storage device is formatted. The serial number is rewritten to new data each time the storage device is formatted. Follow
Each storage device has a different serial number.

  The vendor ID is an identification code indicating the manufacturer and product number set for each USB device. The vendor ID is a unique code defined in the USB specification.

  Data written to the storage device (hereinafter referred to as a key authentication file) is data stored in the storage device by the present invention. The key authentication file is a unique code for recognition that writes data to the storage area of the storage device at the time of registration.

  The button in S152 is an switch for confirming whether the USB device registered in S151 operates as a key. This is a device for verifying whether the registered USB device operates as S71. This is a mechanism to notify the user when it operates normally.

  When the button in S152 is pressed, the unique code in S81 and the unique code in the connected storage device are tried to match. In the first embodiment, use as a physical key is permitted only when the values match.

   S153 is a remarks column. This is an item for the user to input an arbitrary character string to distinguish physical keys. A USB device registered as a key is provided for easy management.

 In step S154, the unique code of the USB device registered as the physical key is displayed. The key registered in S151 is displayed so that the user can easily manage it. The information stored in S81 is displayed. This allows you to list registered keys.

   The information registered in FIG. 15 is stored in the memory in the format of FIG. The table of FIG. 8 has n table structures and corresponds to the registration of a plurality of physical keys. In this embodiment, n is 20.

FIG. 6 is a flowchart showing the operation when the physical key is connected.
This flowchart is a flow of checks performed when the call of FIG. 13 which is the management screen of the present invention is performed.
In S61, it is confirmed whether the setting of the management system is currently protected. Specifically, it is confirmed whether one of switches S131 to S132 is on.
When it is on, it is checked in S62 if the administrator physical key is connected to the computer. When connected, the process transits to FIG.
When not connected, the setting is regarded as protected and the transition to FIG. 13 is prohibited.

General key is
It is for connecting to a computer and reading and writing data. If writing to any unspecified storage device is allowed, the risk of data leakage increases. Safety can be improved by preparing a mechanism that allows writing only to a general key registered in advance. Disk access
High safety is ensured by using it together with log monitoring.

If the identification code of the storage device connected to the computer is not included in the table of FIG. 17, read / write encryption is set according to the table of FIG. In S111, prohibition of writing to the connected storage device is set. S112 prohibits reading, and the flow of malicious programs
Prevent entry. In S113, whether to encrypt reading and writing is set. The table in FIG. 11 determines the correspondence when an unknown storage device is connected.

   FIG. 16 is a screen for managing security settings.

   FIG. 16 includes a physical key authentication method selection device. Select the authentication method to be used from the three types of identification codes: serial number, USB device information, and key authentication file.

   S161 is a switch for designating authentication based on USB device information, so-called vendor ID and product ID. When ON, it authenticates by vendor ID and product ID.

   S164 is a switch for designating authentication by serial number. When it is ON, authentication with serial number is performed.

S165 is a switch for designating authentication by the key authentication file. When ON, authentication is performed using the key authentication file. The key authentication file assumes that the connected physical key is a storage device and performs authentication by reading authentication information from the physical key as a file.
The

   The settings made in S161, S164, and S165 are stored in the management device, and the storage device is authenticated as a unique identification code in accordance with the settings.

Computer disk storage devices can be broadly classified as fixed removable disks.
There is what is called a disk device. This screen has button switches that can be set individually.

   By pressing the S162 button, the screen transitions to FIG. 14, which is a fixed disk setting management screen.

   By pressing the S163 button, the screen transitions to FIG. 12, which is a setting management screen for a removable disk.

   FIG. 14 shows a fixed disk setting management screen. This management screen displays the fixed disk devices currently connected to the computer. Then, write prohibition, read prohibition, and encryption are specified. Each setting saves its contents in a computer storage device and maintains the contents.

   The setting of this screen is stored in the storage device in the format of FIG. This management system manages each fixed disk unit connected to the computer according to the table in FIG.

   S141 is a setting switch for prohibiting / permitting writing to the fixed disk device. When the check box for write protection is checked, writing to the fixed disk device is prohibited.

S142 is a setting switch for prohibiting / permitting reading from the fixed disk device.
When the check box of read prohibition is checked, reading of the fixed disk device is prohibited.

S143 is an encryption setting switch for reading from and writing to the fixed disk device.
If encryption is selected in S143, encryption is performed when writing to the fixed disk device, and demodulation and decoding are performed when reading.
Encryption is designed to make it difficult for secrets to be leaked outside when the computer and fixed disk device are stolen.

The settings of FIG. 14 are stored in the memory in the format of FIG. The setting of S141 is saved in S81, the setting of S142 is saved in S83, and the setting of S143 is saved in S84. At the same time, the management device connects to the fixed disk device according to the corresponding settings in FIG. S144 is a fixed disk
This is a mechanism for monitoring access information log of the network device, but it is not related to the present invention and will not be described.

The removable disk can be classified and managed as a disk device registered as a physical key, an unregistered disk device, a CD-ROM / DVD, and an FD (flexible disk) by the mechanism of FIG. FIG.
It is a mechanism to manage these individually.

   In FIG. 12, removable disk setting management is performed. This is a device that sets read / write prohibition / permission and encryption for a registered storage device, an unregistered storage device, a CD-R / DVD, and an FD.

   In step S121, an access restriction is designated for the physical key registered in FIG.

   When S125 is on, writing is prohibited. When S12 is on, reading is prohibited.

   In S127, when encryption is specified by a setting switch for specifying encryption, encryption is performed when data is written, and demodulation is performed when data is read.

FIG. 3 is a diagram showing the internal operation when the setting is actually performed. Read S23 of the management device
Reading is permitted when the only setting switch is ON.

   Two values of ON / OFF are also assigned to the setting switch of S25 for encryption / non-encryption.

   S122 determines the setting of the disk device that has not been registered by the mechanism shown in FIG. In S125, write prohibition is set. In S126, prohibition of reading is set. Encryption is set in S127.

   The setting of S122 is stored in the memory in the format of FIG. The value of S125 corresponds to S111, the value of S126 to S112, and the value of S127 corresponds to S113 and is stored in the storage device.

   When an unregistered disk device is connected, referring to the table of FIG. 11, the value of S111 is set to S22, the value of S112 is set to S23, and the value of S113 is set to S25 to connect to the disk device. FIG. 5 shows a configuration diagram when the use of an unregistered storage device is prohibited as an example.

   S124 is a mechanism for setting access for CD-R / DVD, which includes a setting switch similar to the setting screen of FIG. In S125, write prohibition is set. S126 sets prohibition of reading, and S127 sets encryption.

   The setting of S124 corresponds to the table of FIG. 10, and the contents are stored in the storage device. The value of S125 matches S101, the value of S126 matches S102, and the value of S127 matches S103.

   When the CD-R / DVD is inserted, referring to FIG. 10, the value of S101 is linked to S23, the value of S102 is linked to S22, and the value of S103 is linked to S25.

   S123 is a management apparatus for a flexible disk having the same setting switch as the setting screen of FIG. In S125, write prohibition is set. In S126, read prohibition is set. In S127, encryption is set.

   The settings made in S123 are stored in the storage device in the format shown in FIG. The value of S125 matches S92, the value of S126 matches S93, and the value of S127 matches S94.

When the flexible disk is accessed, the table of FIG. 9 is referred to. If they match, the value of S92 is set to S23, the value of S93 is set to S22, and the value of S94 is set to S25.

1 is an overall configuration diagram of the present invention. Although the computer and the OS have a complicated configuration, the computer and the OS are specifically expressed in the disk management system related to the present invention.

It is an internal structure figure of a management apparatus. Usually, the storage device is directly connected to the OS or the disk management system of the OS. This invention represents what is in the form of a switch during this time.

Example 1 of operation when USB memory is used.

Example 2 of operation when USB memory is used.

Example 3 of operation when USB memory is used.

Operation flow chart of setting protection switch

The physical key insertion and removal in the present invention is shown.

This is a table of management information for fixed disk devices. The settings of each fixed disk unit are managed and saved in the format of this table.

It is a management table for flexible disks. Set the flexible disk writing, reading, and encryption according to this table.

It is a management table for CD-R / ROM / DVD. In accordance with this table, CD-R / ROM / DVD write settings, read settings, and encryption settings are made.

It is a management table of setting data for an unregistered disk device. This table is stored in the storage device and is referenced when an unregistered disk unit is connected.

It is the operation screen of the Example of this invention developed with the software in the US Microsoft OS. It is a figure of the screen which performs the setting of reading, writing, and encryption of a removable disk, CD-R / DVD, FD, and an unregistered disk.

It is a figure of the main operation screen of the Example of this invention.

It is an Example of this invention. This screen is used to set the reading, writing, and encryption of the internal hard disk.

The operation screen of the Example of this invention. This screen is used to register a physical key.

The operation screen of the Example of this invention. This is the screen for setting each security. It is a table for managing USB devices registered as physical keys.

Explanation of symbols

S11 is the management apparatus of the present invention.
S12 A fixed disk device built in the computer.
S13 A disk drive used for reading and writing media such as CD-R and DVD. Media include CD-R, CD-RW, DVD-R, DVD-RW, DVD-RAM, and the like.
S14 is a flexible disk drive.
S15 An external disk drive such as a USB memory, memory card, or MO drive. A USB memory is shown as a representative.
S16 An external fixed disk device.
S17 A computer operating system.
S18 A component that manages the disk units existing in the operating system.

S21 is an arbitrary storage device.
S22 is a setting switch for writing. Select from the two values of prohibition / permission.
S23 is a setting switch for reading. Select from the two values of prohibition / permission.
S24 A computer operating system.
S25 An encryption setting switch. Select from two values, whether or not.
S31 A USB device that operates as a disk device.
S33 A summary of claims 1 and 2. This is called a management device.

S41 Operates as a disk device
USB device.
S51 A USB device that is not registered in FIG. 15 and operates as a disk device.

S61 Specifically, it is confirmed whether S131 to S132 are turned on. Disabled when both are off
Flowing. S62: Determine whether the connected USB device is an administrator key.
S63 The call of FIG. 13 is prohibited so that the setting cannot be changed.

S71 Any USB device.
S72 USB connection device.

S81 is an area for storing data used for disc recognition. The serial number is stored here.

S82 is an area for storing the write switch setting.
S83 This area stores the switch setting for reading.
S84 is an area for storing the setting of the encryption setting switch.

S91 Keep write switch setting
This is the area to be tubed.
S92 is an area for storing the read switch setting.
S93 This area stores the encryption setting switch settings.

S101 Set the write switch
It is an area to store.
S102 is an area for storing read switch settings.
S103 This area stores the setting of the encryption setting switch.

S111 Set the write switch
It is an area to store.
S112 is an area for storing read switch settings.
S113 is an area for storing the setting of the encryption setting switch.

S121 Read, write, and encrypt removable disks registered as physical keys
It is a column.
S122 Read / write / encrypt unknown disk device not registered as physical key
This is a field for setting.
S123 is a column for setting reading, writing, and encryption of the flexible disk.
S124 is a column for setting the reading, writing and encryption of the CD-R / DVD.
S125 is a write prohibition setting switch.
S126 Read setting prohibition switch.
S127 is an encryption setting switch.
S128 This is a log monitoring switch.

S131 is a check box for enabling the operation lock by the physical key.
S132 is a check box for enabling the prohibition of calling the setting screen.
S133 is a button for calling the operation screen of FIG.
S134 is a button for calling FIG.

S141 is a write prohibition setting switch.
S142 Read setting prohibition switch.
S143 is an encryption setting switch.
S144 is a log monitoring setting switch.

S151 A physical key registration button.
S152 is a button for testing whether authentication is correctly performed.
S153 is an item for writing a memo.
S154 is an item for displaying information used for physical key authentication.
S155 is a physical key registration field for the administrator.
S156 This is a physical key registration field for general users.

S161 is a check box for selecting data used for physical key authentication.
S162 is a button for calling the operation screen of FIG.
S163 is a button for calling the operation screen of FIG.

S171 A storage area for storing a vendor ID.
S172 This is a storage area for storing the product ID.
S173 Serial number of the disk unit. The US Microsoft OS sets a unique serial number in the storage device. This is a storage area that stores the information.
S174 A storage area for storing the storage location of the key file written on the USB device.

Claims (5)

Read-protect and write-protect switch for computer disk management device and this
A disk management device with a switch. Encryption designation switch for computer disk management device. And a disk management device with an encryption switch. When the encryption designation switch is on, encryption is performed when data is written to the disk device, and data is demodulated when data is read. A function of storing individual and unique information of a storage device managed by the disk management device, and a function of storing the values of the respective switches of claim 1 and claim 2 in the storage device, the storage device being a computer system Pre-stored storage device unique information when connected to
A mechanism for setting the switch values of claim 1 and claim 2 according to storage when they match with the information, and a disk management device including the mechanism. When a storage device that does not match in claim 3 is connected to the computer system, the storage device is provided with a function for storing the switch values of claim 1 and claim 2, and the stored value is defined in claim 1. A mechanism for setting the switch according to claim 2 and a disc provided with the mechanism.
Management device. A physical switch that prohibits the change of the switch according to claim 1 and a disk management device including the physical switch.

Images