JP6727804B2 - Middleware - Google Patents

Description

The present invention relates to middleware that can create and incorporate cloud applications without being restricted by cloud platforms.

Nowadays, with the information processing method called cloud computing, a service provider or a provider installs a cloud application that performs a specific process on a cloud platform provided on a cloud service server without depending on the resources of its own information processing terminal. Then, if the user can connect using the network, the specific processing in the service can be performed regardless of the place.

The following technologies have been proposed for the point that a service provider or a provider opens a cloud application that performs specific processing on a cloud platform (allows a user to perform cloud computing).

For example, in Patent Document 1 (JP-A-2015-72653), in order to realize appropriate asynchronous communication for avoiding the limitation of the cloud platform in cloud computing, data between the cloud platform and an external system is It is proposed to provide a relay device that relays communication.

For example, Japanese Patent Laid-Open No. 2014-174834 discloses a super-resolution process in a plurality of nodes on a cloud platform, which has good affinity with cloud computing and can efficiently handle compression-coded images. The distributed processing technology of is proposed.

For example, in Patent Document 3 (Japanese Patent Laid-Open No. 2011-170804), a task defined with information used for maintaining consistency is executed on a cloud platform in which strict consistency of data files is not guaranteed. At this time, we propose a technology for recording in a write protected area that is managed in the cloud platform.

As an example of cloud computing using a cloud platform that makes full use of the above technologies, there is a data file storage/sharing service (hereinafter referred to as an online storage service).

According to the above definition, the online storage service is a cloud service that does not store (although it may store) data files that should be stored in its own information processing terminal (for example, in a hard disk with the information processing terminal). If the online storage service provider of the server saves the data in a storage area reserved for that person and can connect to the storage area using a network, the storage data file can be used anywhere. ..

However, the online storage service provider has the following obstacles in providing the service. First, when creating a cloud application for an online storage service, it is necessary to first confirm the cloud platform that operates on the cloud service server and create it so as to support it. That is, for example, if there are three types of cloud platforms, it is necessary to create three types of cloud applications in order to operate the cloud applications on each cloud service server, which is troublesome. This is a problem that can be said in the techniques of Patent Documents 1 to 3 above.

Further, when the data file handled by the online storage service handles, for example, a medical (image) data file, at present, it can be stored in the online storage service in the operation of the medical data file, but this is extremely troublesome. The reason for this is that there are many conditions (data file security) established by each relevant ministry and agency, and it is extremely troublesome for an online storage service provider (cloud application creator) to create a cloud application after understanding them. As a result, there is no online storage service that provides an environment that “satisfy all the conditions” of the relevant ministries and agencies.

JP, 2005-72653, A JP, 2014-174834, A JP, 2011-170804, A

The problem to be solved is that when trying to run the cloud application on each cloud service server, it is necessary to create cloud applications for each cloud platform running on each cloud service server, and the data file With regard to the online storage service of, it is extremely troublesome to create a cloud application after grasping them when trying to handle data files that are severely restricted in operation or have many security conditions.

To solve the above problems, the middleware of the present invention, the cloud service server, in order to be able to incorporate to create a cloud application without being limited by the cloud platform, Ru is 稼 work on cloud platform and means comprising a cloud application, and means comprising a number of La Lee bra reset different cloud platforms, means for generating an interface unit causes specified by the user before the first connection type of the cloud platform cloud platform is mainly characterized in that to function as an environment adjusting means adjust the operating environment of the cloud application reads the library set corresponding to the cloud platform specified in the interface unit.

Since the middleware of the present invention having the above-described configuration has the library sets corresponding to the number of cloud platforms on which the cloud application is to be operated, the cloud application can be created without being restricted by the cloud platform.

Further, if a cloud application incorporating the middleware of the present invention is created, as described above, the cloud application service can be operated without selecting a cloud platform.

FIG. 1 is a conceptual diagram showing a cloud application service adopting the middleware of the present invention. FIG. 2 is a conceptual diagram for explaining the positioning of the middleware of the present invention. FIG. 3 is a conceptual diagram showing the configuration of the middleware of the present invention. FIG. 4 is a diagram showing an example of screen display contents by the interface unit in the middleware of the present invention. FIG. 5 is a diagram showing a processing procedure of the middleware of the present invention.

The middleware of the present invention has to create cloud applications only for each cloud platform, and when trying to handle data files with many security conditions, it is extremely difficult to create cloud applications after grasping them. user point where the time, the cloud service server, and means comprising a cloud application, and means comprising a number of set of libraries different cloud platforms, the first type of the cloud platform before connection to the cloud platform means for generating an interface unit causes specified, were resolved by to function as an environment adjusting means adjust the cloud application operating environment reads the library set corresponding to the cloud platform specified in the interface unit.

The present invention having the above structure, the cloud service server, means for Ru and secure set of libraries having the number of security to take the cloud platform, the interface unit makes selecting the type of cloud applications and data files to the user a resulting unit may be configured to function as an environment adjusting means adjust the security environment of the cloud application reads the selected are security security library set.

By doing so, it is not necessary to take different security measures for each cloud platform in the cloud application, or to create a separate security program.

Further, in the present invention, in the above-mentioned configuration for preparing the security environment, the cloud service server may be caused to function as an online storage service for medical data files by a cloud application. By doing this, it is possible to provide an online storage service for medical data files that could not be handled until now under a strict security environment, regardless of cloud platform.

Hereinafter, specific embodiments of the present invention will be described with reference to FIGS. 1 to 5. The middleware 1 of the present invention is a cloud service server provided with a cloud platform P (hereinafter referred to as a platform P) , and provides a predetermined cloud application, in this example, services such as storage, management, and sharing of medical data files. It is for operating an online storage application A (hereinafter referred to as application A) for providing.

As shown in FIG. 1, the concept of the application A in this example is, for example, a hospital, which is connected via communication to an application A (installed via the middleware 1) running on a certain platform P. For example, medical data files can be stored, read, and updated in a terminal device authorized by a medical-related facility, for example, a medical examination car, for example, an X-ray reading doctor.

As shown in FIG. 2, the concept of the middleware 1 of the present invention is provided by existing various cloud applications (application A in this example) that can be loaded on the middleware 1 arbitrarily created by the user. It is possible to operate on any platform regardless of the platform P, in the figure, regardless of the a platform, the b platform, and the c platform.

As shown conceptually in FIG. 3, the middleware 1 includes an application A, a library set PL (three types in this example, respectively referred to as PL1, PL2, and PL3) and a platform P having a number of different types of platforms P, respectively. Before the first connection with the security library set PS (three types in this example, respectively, PS1, PS2, and PS3) having the number corresponding to the type of the data file and the platform P, the type of the platform P is designated. An interface unit 2 and an environment adjusting unit 3 for reading out a library set corresponding to the cloud platform designated by the interface unit and adjusting the operating environment of the cloud application are provided.

As described above, the application A is arbitrarily created by the user and can be considered as a separate component of the middleware 1 of the present invention. However, the middleware 1 is specifically an application programming interface ( Since it is one of the APIs and is incorporated in the stage of creating the application A (created using the API), the cloud application is not limited, but it is an integral part of the middleware 1 of the present invention. It is equipped with a position.

According to the above definition, the interface unit 2, the environment adjustment unit 3, the library set PL, and the security set are also APIs, but even if they are separate entities (although they may be bundled, of course), the middleware 1 and, by extension, the application 1 It is a position that is indispensable for cooperating.

The interface unit 2 is a language that can be decoded by browsers (applications) used as a common interface by those who use cloud application services, that is, the most general-purpose language that can be decoded by each platform P, for example, as a program created in HTML. The description is extremely small and simple.

When the interface unit 2 is first connected to the platform P (meaning that the application A is installed: incorporated), the screen shown in FIG. 4, for example, is displayed. This display is displayed on the screen of the communication terminal on the side where the application A is to be incorporated into the platform P, that is, the service provider side.

The interface unit 2 displays the type of platform P to which the application A is to be connected on the screen of the communication terminal on the service provider side, the security set for operating the service (application A), and the security set that is a condition of the platform P. Each item and a check box are shown so that PS or individual security can be selected.

The library PL is a collection of library files required to run on the platform P incorporating the created application A. For example, in this example, the library set PL1 contains the library files for the a platform of FIG. 2, the library set PL2 contains the library files of the b platform of FIG. 2, and the library set PL3 contains the library files of the c platform of FIG. The library files of are collected.

The security set PS is a collection of security library files required by the application A (service) and the platform P. For example, in this example, medical data files are handled, but the handling of this medical data, especially medical image data (files) such as X-rays for which guidelines for handling have been clarified, will be taken by each ministry in 2015. And there is something like the following.

(Ministry of Economy, Trade and Industry)
・Use e-government recommended cipher list (2.6.11.1)
・Countermeasures when the encryption key is leaked (2.6.11.2)
・Issuing a trusted digital certificate (2.6.11.3)
-Cryptographic algorithm switching setting (2.6.11.4)
・Obtaining the fingerprint by another route (2.6.11.5)
・Prevention of software tampering and implementation of detection measures (2.6.1.6) (2.6.2.4)
・Verification of damage/tampering in the communication path (2.6.8.4)
・Unique worker ID allocation (2.6.14.1)
・In principle, group ID is not possible (2.6.14.3)
・Prohibition of reuse of worker ID (2.6.14.6)
・Periodical confirmation of unnecessary worker ID (2.6.14.7)
・Record of work execution contents of privilege ID (2.6.14.10)
・Set expiration date (2.6.14.14)
・Management of change history (2.6.14.15)
・Non-response processing for a fixed time when input fails (2.6.14.16)
・Digital signature of password file (2.6.14.20)
・Recertification after a certain period of time (2.6.14.21)
-Processing after a certain number of failures (2.6.14.22)
・Limited connection destination/connection time (2.6.6.1)
・Traffic management by IP address (2.6.6.2)
• Physical closure of unused ports (2.6.6.4)
・Update of signature/detection rules for intrusion detection (2.6.6.6)
・Display of monitoring terminals when sending attacks, sending e-mail, etc. (2.6.6.7)
· In malicious coat protection software
-Real-time scan (2.6.3.2)
-On-demand scan to electronic media (2.6.3.2)
-Automatic update of definition files (2.6.3.2)
・Audit activity/event/usage status audit log (2.6.12.1)
・Restrict access to log data (2.6.12.5)

(Ministry of Internal Affairs and Communications)
・Protection measures for confidentiality, authenticity, and integrity of information (10.1)
・Use of IP encrypted communication (VPN I/Psec, etc.) (III .3.2.2)
-Use of HTTP encrypted communication (SSL/TLS, etc.) (III .3.2.2)
・Prevention of unauthorized deletion/falsification/addition of data ・Time authentication, use of digital signature (III .5.1.1)
-Restrict the allocation and use of authority of information system managers and network managers (III.3.1.2)
-Take measures against spoofing by using an appropriate authentication method, a method of authenticating the connection from a specific place or device, etc. (III .3.1.3)
・Obtaining a server certificate (III .3.2.3)
・Regular update of password ・Do not use extremely short/easy to guess ・No response for a certain period of time when input fails ・Process after a certain number of failures ・Measures to prevent unauthorized access from outside and inside (firewall, Introduction of reverse proxy, etc.) (III .3.1.4)
・Measures to automatically detect and block illegal transit packets (IDS/IPS, etc.) (III .3.1.5)
・Always take appropriate measures to prevent the intrusion of unauthorized software such as viruses ・Take measures against viruses (data programs, e-mails, databases, etc.) (III .2.2.1)
-At least the user's login time, access time, and the patient who operated during login can be identified.-User usage status, exception handling, and information security event records (logs, etc.) (III .2.1.3)
・Measures such as stealth mode and ANY connection refusal ・Access restriction by SSID and MAC address ・Encryption of communication by WPA2/AES etc. (Ministry of Health, Labor and Welfare)

(Ministry of Health, Labor and Welfare)
・Password tapping/text tapping prevention (6.11C2)
・Use of SSL/TLS and S/MIME (6.11C5)
・Use of e-government recommended cipher list (6.11C5)
-File encryption (6.11C5)
・Implementation of data tampering detection measures (6.11B1.2)
・Use of digital signatures (6.11B1.2)
・User identification and authentication (6.5C1)
・Information division management and access authority management (6.5C5)
・Prevention of session hijacking (6.11C1)
・Prevention of IP address spoofing (6.11C1)
・Password file encryption management (6.5C10.1)
・Regular change of password (up to 2 months) (6.5C10.4)
・F/W by packet filtering (6.5B5)
・Introduction of IDS (6.5B5)
・Deactivate unused services/ports (6.5B4)
・Sequential update of security patches (6.5B4)

The above is not necessarily required by the application A as in this example and has to be implemented. However, if regulations and guidelines are strictly defined by the data file to be handled, it is necessary to implement them on the platform P side. Not all security measures are taken, and it is extremely troublesome to implement all of them on the application A side.

Therefore, in the middleware 1 of the present invention, a security set is provided for every security library that is provided, for example, for each platform P, for example, for each service provided by the application A, or for each type of data file handled by the cloud application service, for example. It can be selected by setting like PS1, 2, 3 or individually.

That is, in the middleware 1 of the present invention, if the library set PL and the security set PS are selected, the peripheral environment is almost prepared, so that the creator of the application A (cloud service provider) only has the pure contents of the application A. It will be better if you work on.

The environment adjusting unit 3 reads the library set PL and the security set PS (individual security libraries) corresponding to each item selected (checked) in the interface unit 2 and prepares the connection environment between the platform P and the application A.

Specifically, for example, when the application A created for the a platform P shown in FIG. 2 is connected (built in) to operate on the b platform P shown in FIG. The platform P is selected and the required security set PS (or individual security library) is selected, and then the library group used for the a platform is replaced with the library for the b platform.

From the application A side, the environment adjustment unit 3 changes the read destination of the library to be read each time the processing is performed, but in this respect, the description (source) in the application A is not rewritten, but is conceptually changed. The PL2 of the library set "PL2" for the b platform will be replaced with the existing library set "PL1" (for the a platform P). That is, from the side of the application A, the processing itself is not rewritten, converted, etc. on any platform PL.

The processing of the middleware 1 of this example having the above configuration will be described with reference to FIG. Using the above example, when the application A created for the a platform P shown in FIG. 2 is to be incorporated into the b platform P shown in FIG. 2, when the setup program is started (#1), the interface The section 2 is activated (#2).

When the interface unit 2 is activated, the screen shown in FIG. 4 is displayed. Here, in this example, since the user intends to incorporate it in the b platform P, that item is checked. Further, in this example, since it is the application A for providing the online storage service that handles medical data files, the items of the security set PS in which the security libraries necessary for this are collected, and if necessary, the illustration of FIG. Check the individual security items shown at the bottom (#3).

When these checks (selections) are completed and a button (not shown in FIG. 4) is clicked, the environment adjustment unit 3 is activated (#4). The environment adjustment unit 3 reads the library set PL and the security set PS (and the individual security library) corresponding to the item selected in the interface unit 2 (#5).

Then, as described above, the environment adjusting unit 3 replaces the library set PL2 that has been selected as the library set PL1 that has been read under the (original development) environment until then, and the security set PS on the b platform P. Adjust to operate (#6).

When the environment is prepared, the middleware 1 reads the application A (#7) and connects the b platform P and the application A (#8). Thereafter, the middleware 1 determines whether the connection (embedding) is completed at predetermined time intervals (#9), and if not completed (No in #9), determines whether an error has occurred (#10), If it is not an error (No in #10), the process returns to #9 and waits for completion, and after completion (Yes in #9), the process ends. On the other hand, in the case of an error (Yes in #10), the error process is executed. Perform (#11) to end the process.

As described above, according to the present invention, since various environments are adjusted on the side of the middleware 1, there is an advantage that only the application A can be developed. Further, when the present invention is used as an online storage service (application A) for medical data files, it is possible to implement extremely strict and strict regulations and guidelines, and there is an advantage that labor for implementation can be saved.

1 middleware 2 interface part 3 environment adjustment part P (cloud) platform PL library set PS security set A (online storage) application

Claims (3)

The cloud service server, in order to be able to incorporate to create a cloud application without being limited by the cloud platform, and means including a torque loud application is 稼 work on cloud platforms, different cloud platforms and means comprising a number of La Lee bra reset means for generating a first interface unit causes specified by the user the type of the cloud platform before connection to the cloud platform, corresponding to the cloud platform specified in the interface middleware, characterized in that to function as an environment adjusting unit reads the set of libraries adjust the cloud application operating environment. The cloud service server, means for generating and means for Ru comprising a number but only security library set of security to take the cloud platform, the interface unit makes selecting the type of security to the user depending on the type of cloud applications and data files of claim 1, wherein the middleware, characterized in that to function as an environment adjusting unit that reads the selected are security security library sets prepare the security environment of the cloud application. The middleware according to claim 2, wherein the cloud service server is caused to function as an online storage service for medical data files by a cloud application.

Images