CN102693373A - Service information protective device - Google Patents
Service information protective device Download PDFInfo
- Publication number
- CN102693373A CN102693373A CN2011100810787A CN201110081078A CN102693373A CN 102693373 A CN102693373 A CN 102693373A CN 2011100810787 A CN2011100810787 A CN 2011100810787A CN 201110081078 A CN201110081078 A CN 201110081078A CN 102693373 A CN102693373 A CN 102693373A
- Authority
- CN
- China
- Prior art keywords
- information
- user
- application
- access
- visit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a service information protective device, capable of improving information safety of a service information system and easily managing access rules of the service information system. If an effective operation application is judged, a registration judging part (131B) gives an application number used for a unique identification operation. An operation scheduling information keeping part (136) keeps operation scheduling information which is normally registered by the registration judging part (131B). A log keeping part (152) binds and keeps the given application number and an access log of operation application content corresponding to the application number. An operation verification part (151B) compares content of the access log of the log keeping part (152) with the operation scheduling information of the operation scheduling information keeping part (136) corresponding to the application number bound with the access log and checks that whether an access is illegal or not.
Description
Technical field
The present invention relates to the business information protective device, particularly relate to the business information protective device of the Information Security that can improve operating information system.
Background technology
Support the operating information system of operations such as enterprise or communal facility, the basis that so-called business system (Enterprise System) has become all size tissue now.Operating information system is through adding up to, accumulate, resolve, process the data that obtain from terminal node (node) or database, and exports the higher information of added value on this basis, the organization and administration of support complicacy thus.
Such operating information system also will be carried out various maintenance activities such as operation supervise and control, fault reply, function expansion or function change after running.Usually, the client enterprise that introduces operating information system entrusts to external management company with this maintenance activity.In most cases be SE (System Engineer, system engineer) the Telnet operating information system of management company, carry out maintenance activity.
In recent years, (Sarbanes-Oxley, Sa Bansi) bill strong request enterprise operator or account aufsichtsrat guarantee the legitimacy of public information to the SOX that Americanologist is crossed.Japan also plans to imitate this method and introduces Japan version SOX method, so the establishment that can tackle the attitude of Japan version SOX method becomes the task of top priority.
In view of such social background, patent documentation 1 has proposed following technology, and promptly relating to except carrying out the authentification of user according to ID and password also is the technology of the access rule (access rule) of condition with gerentocratic granted access.
[prior art document]
[patent documentation]
[patent documentation 1] spy opens the 2004-213475 communique
Summary of the invention
The access rule of record is preventing that aspect the unauthorized access operating information system be effective method in the patent documentation 1, but requires the supvr to tackle job request immediately, so burden is big.That is, establish to prevent that easily the access rule of information leakage is no doubt important, but exist for the generation that suppresses personal error and must consider the problem of burden for users.
In addition, the operating information system that enterprise introduced is not limited to triangular web.For example, perhaps a certain enterprise introduces financial system and client system respectively, and perhaps perhaps these systems are integrated into more upper system.In the enterprise of a plurality of operation systems of this type running, also need to improve the Information Security and manageable their framework of access rule of each operating information system.
The purpose of this invention is to provide a kind of business information protective device that can improve the Information Security in the operating information system.
A side of the present invention is characterised in that to have: the validated user information holding device, and the validated user information of the validated user of the predetermined processing that executable system is arranged is registered in its maintenance; Application receiving trap, its reception are used to apply for specifying visit other subscribers and the application information of carrying out said predetermined processing; Predetermined holding device, its maintenance make the said predetermined processing and the corresponding predetermined information of its visit other subscribers of being applied for; Carry out the request receiving trap, when carrying out said predetermined processing, receive the customer identification information of confirming the visitor from the terminal; User authentication device, it judges with reference to said validated user information whether said visitor is registered as validated user; The application status decision maker with reference to said predetermined information, judges whether said visitor carried out application for the predetermined processing of visit other subscribers; Access control apparatus all is to judge certainly as condition with the judgement of said user authentication device and the judgement of said application status decision maker, allows from said terminal the extremely visit of said system to carry out predetermined processing; Log recording apparatus is recorded as log information with the access history from said terminal to said system; Demo plant; Compare with the visit shown in the said log information with for the visit of the predetermined processing of carrying out being applied in the said predetermined information; Detect in the visit shown in the said log information, with for carrying out the incongruent visit of visit of the predetermined processing that said predetermined information applies for, as unauthorized access.
Also have: Request Notices device, the contents processing that it is applied for to authorized person's notice of predetermined processing application; Authorize and obtain device; It accepts the mandate input from said authorized person; Said predetermined holding device also makes the predetermined processing of being applied for remain said predetermined information accordingly with its licensing status, and said application status decision maker can also judge whether the predetermined processing of being applied for authorizes.
Said application status decision maker can also predetermined processing execution date and time whether during being applied in.
Can also have: executive condition holding device, the executive condition information of the executive condition that the maintenance definition regulation is handled; Apply for registration of decision maker, conforming to said executive condition information with the contents processing of being applied for is condition, and the predetermined processing that will be applied for is registered in the said predetermined information.
Said validated user information holding device also keeps representing obtaining the user's of the special authority different with common user right upgrading user profile; Whether said application status decision maker is that the user that can obtain special authority judges to the visitor also specifying special authority as for the executive condition of the predetermined processing of being applied for the time.
Utilize the present invention that a kind of business information protective device that can improve the Information Security of operating information system can be provided.
Description of drawings
Fig. 1 is the block diagram of structure example of the operating information system of this embodiment of expression.
Fig. 2 is the block diagram of the functional structure example of expression business information protective device.
Fig. 3 is the figure of the data structure example of the executive condition information in the expression executive condition maintaining part.
Fig. 4 is the figure of the recorded content example of the access log that kept of expression daily record maintaining part.
Fig. 5 is the figure of the demonstration example of expression login screen.
Fig. 6 is the figure of the demonstration example of expression visit application picture.
Fig. 7 is the figure of the demonstration example of expression access authorization picture.
Fig. 8 is the figure that expression visit application, authority levels are set the demonstration example of picture.
Fig. 9 is the figure of the demonstration example of expression access log searching picture.
Figure 10 is the figure of the demonstration example of expression result for retrieval picture.
Figure 11 handles the process flow diagram that describes to access checking.
The explanation of symbol
10 business information protective devices
11 relays
12 login interface handling parts
12 user authentication devices
13 applications management devices
20 job-oriented terminals
40 user rs environments
41 financial information systems
42 customer information system
43 inventory management systems
44 authorization terminal
121 authentification of user portions
122 validated user information retaining section
131 application status management departments
131A job request portion
131B registers detection unit
131C Request Notices portion
131D operation authorization portion
132 application status detection units
133 access interface handling parts
135 executive condition maintaining parts
Maintaining part is scheduled in 136 operations
138 upgrading processing portions
151 log management portions
152 daily record maintaining parts
151A log record portion
151B operation proof department
Embodiment
[structure of operating information system]
Fig. 1 is the figure of structure example of the operating information system of this embodiment of expression.In the operating information system, business information protective device 10 is connected through network 30 with job-oriented terminal 20 shown in this figure, and simultaneously, user rs environment 40 is connected with network 30 through business information protective device 10.In addition, log management apparatus 15 also is connected with business information protective device 10.
In operating information system shown in Figure 1, the service environment of user rs environment 40 certain A of enterprise of expression.The miscellaneous service system of user rs environment 40 also accepts suitable maintenance activity after running.Sometimes in user rs environment 40, carry out this maintenance activity, but usually through carrying out this maintenance activity from the remote access of job-oriented terminal 20.The user that below will carry out this long-distance service operation abbreviates " operator " as.The operator is most usually to be the SE (Systems Engineer) that has signed the management company of maintenance activity contract with the A of enterprise.Operator's operation task terminal 20, and the miscellaneous service infosystem through network 30 and business information protective device 10 telnet client environment 40.Communication path between job-oriented terminal 20 and the business information protective device 10 is preferably the safe communication path that utilizes VPN (Virtual Private Network, Virtual Private Network) etc.
Be that prerequisite describes with regard to network 30 by the remote access of public lines such as internet or Local Area Network below, but business information protective device 10 can utilize dedicated line to interconnect with user rs environment 40, job-oriented terminal 20.
In addition, for the term of carrying out enterprise's use " client enterprise " or " user rs environment 40 " of organization business through operation miscellaneous service infosystem, its meaning is for accepting the client of maintenance activity service from the job-oriented terminal 20 of outside in this instructions.
Business information protective device 10 is to concentrate to receive the device that is sent to the Remote Login request of user rs environment 40 from job-oriented terminal 20, is set at the network security interface.Business information protective device 10 carries out TELNET (Telecommunication network; Telecommunications network), SSH (Secure Shell; Secure Shell), FTP (File Transfer Protocol; FTP), HTTP (HyperText Transfer Protocol; HTTP), HTTPS (Hypertext Transfer Protocol Security; The safety version of HTTP), the access control of WindowsRDP (Remote Desktop Protocol, RDP), CIFS communication protocols such as (Common Internet File System, CIFSs) and obtain the inspection (back is described in detail) of daily record.
Business information protective device 10 all is to judge certainly to allow the Telnet from job-oriented terminal 20 as condition with the judgement in following two stages.
1. whether the operator is the user that is registered in advance (below be called " authentification of user ")
The operator whether in advance (correctly) applied for execution maintenance activity (below be called " application judge ")
Business information protective device 10 comprises relay 11, user authentication device 12, applications management device 13 and access right management devices 14.Business information protective device 10 can be to make each function integration of relay 11, user authentication device 12, applications management device 13 and access right management devices 14 and the single device that constitutes; But in this embodiment; Based on following reason, the situation of business information protective device 10 for the aggregate of these three devices described.
Generally speaking, system constitutes usually as follows: the operator signs in to terminal server from own terminal remote, to be carried out authentification of user as condition by this terminal server, allows the access service infosystem.In this embodiment, except such system (system in the past), also introduced user authentication device 12, applications management device 13 and access right management devices 14, realized thus improving Information Security through the application judgement.That is, relay 11 shown in Figure 1 can be existing terminal server, is that the situation that common PC (Personal Computer, the PC) terminal of WINDOWS (registered trademark) has been installed describes to relay 11 below.
When relaying device 11 was visited via network 30 by job-oriented terminal 20, the IP address of 11 pairs of these job-oriented terminals 20 of relay and host name etc. were confirmed, under the situation of job-oriented terminal 20 for the object beyond the connection permission object, cut off immediately, do not allow connection.On the other hand; Under the situation of job-oriented terminal 20 for the connection permission object; Relay 11 requires job-oriented terminal 20 that ID and password are provided; And the ID and the password that will send over according to this requirement offer user authentication device 12, applications management device 13 and access right management devices 14, the trust affirmation.
Access right management devices 14 replaces relay 11 to carry out " access right authentication ".That is to say; Access right management devices 14 receives the information (IP address and host name etc.) of ID and password and expression visit destination from relay 11; Carry out the authentication that whether allows this user to be connected to visit destination (whether access right is arranged), and this result is returned to relay 11.
As the major advantage of the business information protective device 10 of this embodiment, can enumerate following 5 points.
1. because except carrying out authentification of user, also apply for judging, so, the Information Security of operating information system strengthened.
2. in the operating information system that importing has moved easily.
3. can alleviate the load of judging the user who is associated with application.
4. can utilize 10 pairs of multiple business infosystems of single business information protective device to carry out unified management.
5. because content and access log are applied in binding, so the inspection that conducts interviews easily.
The access log that job request content that log management apparatus 15 is managed applications management device 13 and log management apparatus 15 are managed is bound, and manages, so inspection can easily conduct interviews.So-called access checking is the search access log, and the daily record of the inspection visit whether carrying out being applied for.
When job-oriented terminal 20 is used for ID and the password of telnet client environment 40 by operator input, this ID and password as Remote Login request, are sent to business information protective device 10 through network 30.
Fig. 2 is the block diagram of the functional structure example of expression business information protective device 10 and log management apparatus 15.
For each frame shown in Figure 2, at hardware aspect, element or the mechanical hook-up of CPU that can be through comprising computing machine are realized; Aspect software, can be through realizations such as computer programs, still; Here, each frame table shown in Figure 2 shows the functional block that the associating through hardware and software realizes.Therefore, these functional blocks can utilize the combination of hardware, software to realize with various forms.
A: relay 11
The Remote Login request that the login interface handling part 111 of relay 11 receives from job-oriented terminal 20.Contain ID and password in this Remote Login request.ID and password that relay 11 transmission receives, thus utilize user authentication device 12 to carry out user authentication process, utilize applications management device 13 to apply for determination processing, utilize the access right management devices 14 power authentication processing that conducts interviews.In addition, login interface handling part 111 transmits the information of obtaining when having obtained the information (IP address and host name etc.) of expression visit destination from job-oriented terminal 20, thereby utilizes the access right management devices 14 power authentication processing that conducts interviews.And, the result of determination that login interface handling part 111 receives separately from user authentication device 12, applications management device 13 and access right management devices 14.Below with similar ID or password be used to discern user's data and be called " customer identification information ".As modified example, customer identification information can be biological informations such as fingerprint and iris.
B: user authentication device 12
In the maintenance activity that operating information system is carried out, also comprise like what break off one type of (release) operation operating information system is influenced king-sized operation.In order to carry out this type maintenance activity, need conduct interviews through the user right the same, rather than conduct interviews with common user right with the keeper.But,, preferably do not give so special user right (being designated hereinafter simply as " special authority ") easily from improving the Information Security aspect of operating information system.Describe detailed architecture in the back, but business information protective device 10 can strict control be in the user (below be called " scalable user ") of the state that can obtain this special authority.Validated user information retaining section 122 also keeps the scalable user's of expression upgrading user profile except keeping validated user information.To be registered in upgrading becomes scalable user in the user profile and is called " upgrading ", will from the user profile of upgrading, delete, and no longer be that scalable user is called " degradation ".
The user authentication device 12 of this embodiment is a single device, the unified management customer identification information.Through utilizing single user authentication device 12 to carry out a plurality of operating information systems of contact and a plurality of partakers' authentification of user, thereby form the structure of manageable authentification of user strategy (policy).
C: applications management device 13
The operator must apply for the execution of maintenance activity in advance for the access service infosystem.Application status management department 131 bears the processing relevant with the application of this operation.Application status management department 131 comprises the 131A of job request portion, registration detection unit 131B, the 131C of Request Notices portion and operation authorization portion 131D.
The operator sends job request information through job-oriented terminal 20 to applications management device 13 before the beginning operation.So-called job request information; Be operation purpose, job date and time, entry name, become the set of the input data such as system name of access object, but can comprise the incidental informations beyond the input data such as applicant's addresses of items of mail, date of application and time or applicant's IP address in addition.In addition, send job request information from job-oriented terminal 20, but be not limited to this, for example, can send from the application terminal (not shown) that is different from job-oriented terminal 20.
The 131A of job request portion receives job request information from job-oriented terminal 20.
If effective job request is then registered detection unit 131B and is given the application number that is used for unique identification operation (operation ID).Application number, operation target date and time, job content, operator's name, licensing status etc. are by corresponding in the operation predetermined information.
Carry out the effective operation application as long as not only exist, also there is that type maintenance activity of not obtaining the authorization and just can not begin operation in that type maintenance activity that just can begin operation.As the part of executive condition information, can define like this.
In addition; For the operation of having passed through operation target date and time in the operation predetermined information that is registered in the predetermined maintaining part 136 of operation; The historical state of application that becomes history and propose for unaccepted application, becomes the state that application status is registered as " refusal ".
When effective job request was registered in the predetermined maintaining part 136 of operation, the consult and carry out executive condition information of condition maintaining part 135 registrations of the 131C of Request Notices portion judged whether the job content of this application needs to authorize.Under the situation that maintenance activity has been applied for, the 131C of Request Notices portion notifies its application number to the authorized person.The 131C of Request Notices portion of this embodiment sends the Email of expression application number to authorization terminal 44.If the authorized person receives notice, then operate the not shown input part of authorization terminal 44, based on application number, the applications management device 13 of access service message protection device 10, whether input authorizes.
Whether operation authorization portion 131D receives from authorization terminal 44 and authorizes.If be authorized to, the licensing status in the operation predetermined information that then operation authorization portion 131D is registered the predetermined maintaining part 136 of operation changes to " mandate " from " unauthorized ".Under the situation of refusal, operation authorization portion 131D gives the operator with the result notification that refuses an application, and simultaneously, the application status of the operation predetermined information that will be registered in the predetermined maintaining part 136 of operation is recorded as " refusal ".
132 applications for execution of application status detection unit are judged.When the operator receives Remote Login request, with reference to the operation predetermined information that the predetermined maintaining part 136 of customer identification information that obtains from login interface handling part 111 and operation is registered, whether judgement applied for operation.In addition, whether application status detection unit 132 is also judged in the activity duration of being applied for the date received and the time of Remote Login request.
For example, when the operation schedule time of specifying " 10:00~11:00 " applied for, even before 10:00 with behind the 11:00, propose Remote Login request, the result that application is judged also was " negating ", does not allow Telnet.
When authentification of user all was sure judgement with the application judgement, access interface handling part 133 allowed to be used for the communication path from job-oriented terminal 20 access customer environment 40.Certainly, when the maintenance activity that need authorize is applied for, do not allow visit without authorizing.
Executive condition maintaining part 135 will keep as executive condition information the access rule of maintenance activity.Maintenance activity is as tackles fault, investigation, running monitoring, disconnection operation etc. that its purpose is various.Can maintenance activity so be divided into a plurality of kinds (being designated hereinafter simply as " operation type ").For example the disconnection operation of operating information system increase module is hoped only to allow outside business hours sometimes.In this case, the management responsible official of operating information system sets executive condition, makes to carry out the disconnection operation outside business hours.The back is described the data structure of executive condition maintaining part 135 with reference to Fig. 3.
Operation is scheduled to maintaining part 136 and is kept the effectively operation predetermined information of the important document of job request of conduct that formally registered by the registration detection unit 131B of application status management department 131, satisfied.
Official hour is pressed from the predetermined maintaining part 136 reading operation predetermined informations of operation by upgrading processing portion 138, and judgement is to have the user that should upgrade or have the user that should demote.
The applications management device 13 of this embodiment is a single device, and the application of seeking unity of action is judged.Utilize single applications management device 13 to carry out the application relevant and judge, constitute manageable executive condition and operation predetermined information thus with a plurality of operating information systems.
Fig. 3 is the figure of example of the data structure of the executive condition information in the expression executive condition maintaining part 135.
Executive condition information is the access rule that the management responsible official of each operating information system formulates.Rule ID hurdle 135A representes to be used for the ID (below be called " rule ID ") of unique identification access rule.When access rule is registered, allocation rule ID.Date hurdle 135B representes the suitable date of access rule.Time fences 135C representes the applicable time of access rule.For example, when the access rule of application rule ID " 1 ", as business day of the A of enterprise be the time period of " 6:00~16:00 ".Operation type hurdle 135D representes the operation type of the maintenance activity of suitable access rule.Whether need authorize hurdle 135E to represent whether need to authorize in order to carry out this operation.
In the example of Fig. 3; For example the maintenance activity of the access rule of application rule ID " 1 " is the maintenance activity of purpose with " the reply fault " of the operation type " 01 " among " business day " " 6:00~16:00 " and is the maintenance activity of purpose with " investigation " of operation type " 02 ", does not need to authorize to these maintenance activities.That is, carry out with " 6:00~16:00 " on business day as operation target date and time, when being the maintenance activity of purpose with the reply fault, the operator only representes that in advance the job request of its purport get final product, need not mandate.In addition; The maintenance activity of the access rule of application rule ID " 2 " be the maintenance activity of purpose with " running monitoring " of the operation type " 03 " among " business day " " 6:00~16:00 " and is the maintenance activity of purpose with " the disconnection operation " of operation type " 04 " that these maintenance activities need mandate.That is,, when being the maintenance activity of purpose, not only need job request with " running monitoring " or " disconnection operation ",, then can not visit if do not authorize in execution at " 6:00~16:00 " on business day.
For example suppose that the date and time T of operator A in " 6:00~16:00 " on business day proposes remote access request.At this moment, the application result of determination that obtains based on the executive condition information shown in the example of Fig. 3 is as follows.
1. not carrying out when containing date and time T and be the application of operation of the operation schedule time, is to negate to judge.
2. applied for being to judge certainly when containing date and time T as the reply fault operation of the operation schedule time.
3. when having applied for containing date and time T as the running monitoring task of the operation schedule time, application status detection unit 132 is with reference to the predetermined maintaining part 136 of operation, if the running monitoring task of application was authorized to, then for judging certainly.Under the situation of unauthorized or refusal, judge for negative.
In addition, registration detection unit 131B when applying for different operations with the time same date, refuses such application same operator automatically.Therefore, the operator can not be that object applies for tackling fault operation and running monitoring task simultaneously with date and time T.
Executive condition maintaining part 135 can keep executive condition information respectively by each operating information system; But in this embodiment; Be unified executive condition information, promptly defined common access rule to financial information system 41, customer information system 42, inventory management system 43.In addition, situation illustrated in this embodiment does, need special authority when carrying out " the disconnection operation " of operation type " 04 ", but the operation beyond it does not need special authority.
D: access right management devices 14
Access right management devices 14 comprises access right authentication department 141 and access right information retaining section 142.When the login interface handling part 111 of relay 11 receives Remote Login request; Access right authentication department 141 obtains the information (IP address and host name etc.) of ID and password and expression visit destination from login interface handling part 111, and whether allows user's connected reference destination (whether access right is arranged) in this transmission source based on the visit application situation judging that access right information retaining section 142 is registered.The corresponding visit application situation of information of 142 maintenances of access right information retaining section and ID and expression visit destination.
E: log management apparatus 15
151 management of log management portion are from the access log of job-oriented terminal 20 access customer environment 40.Log management portion 151 comprises 151A of log record portion and operation proof department 151B.The date and time of order of receiving and dispatching between execution, job-oriented terminal 20 and the operating information system of the 151A of log record portion with Remote Login request or data, this execution is recorded as access log.The application number that the 151A of log record portion the time will be endowed at the registration detection unit 131B of application status management department 131 at record and connect with the access log of number corresponding job request content of this application.In addition, the 151A of log record portion also writes down authentification failure or does not apply for, do not have the historical daily record of refusal such as access right.
Content and the application number operation predetermined information of binding with this access log corresponding, that be registered in the predetermined maintaining part 136 of operation that operation proof department 151B will remain on the access log of daily record maintaining part 152 compare, and whether inspection is illegal visit.
For example, carrying out " running monitoring " when being the job request of purpose, when the rewriting of execute file was handled, the access log that operation proof department 151B is kept with reference to daily record maintaining part 152 detected such unauthorized access.Will there be unauthorized access in operation proof department 151B or doubt to the result notification of the visit of unauthorized access and give authorization terminal 44.Perhaps, detecting the time point of unauthorized access, access interface handling part 133 can be forbidden remote access by force.
The application number that daily record maintaining part 152 will be endowed at the registration detection unit 131B of application status management department 131 and bind with the access log of number corresponding job request content of this application and keep.The back with reference to Fig. 4 to daily record maintaining part 152 keep the recorded content of access log to describe.
Fig. 4 is the figure of one of the recorded content of the access log that kept of expression daily record maintaining part 152 example.
Daily record maintaining part 152 comprises summary log record zone 152A and full text log record zone 152B, keeps summary daily record and two kinds of daily records of daily record in full.The summary daily record comprises IP address and host name, ID, the tie-time of beginning, the finish time, use terminal, the visit destination server of visit etc.Daily record comprises the content of actual execution, operational order etc. in full.
Under the situation of the example of Fig. 4,152A keeps the essential record content according to each agreement respectively with log record zone 152B in full in summary log record zone.For example; Under the situation of " TELNET " agreement; The date and time that the 152A record access begins in summary log record zone, port (port), connection source IP address, ID, IP address, connection destination, tie-time are in full text log record zone 152B recorder data.
More than shown in recorded content and the application number of access log bind, remain on daily record maintaining part 152.In addition, the access log that obtains through WindowsRDP with animated by record.
Fig. 5 is the figure of the demonstration example of expression login screen.
When request when job-oriented terminal 20 is remotely logged into relay 11, login screen 50 shown in Figure 5 is displayed on job-oriented terminal 20.When relaying device 11 receives Remote Login request, in the login screen 50 of job-oriented terminal 20, show login window 51.That is, the login interface handling part 111 of relay 11 provides the user interface picture of job-oriented terminal 20.Input ID and password on the login window 51 of the user of job-oriented terminal 20 in being presented at login screen 50.Look sideways from the user; User interface is identical with the interface that terminal server in the past provides, but the customer identification information of input is supplied respectively through user authentication device 12, applications management device 13 and access right management devices 14 and is used for that authentification of user, application are judged, the access right authentication.
Fig. 6 is the figure of the demonstration example of expression visit application picture.
When the operator during from job-oriented terminal 20 visit applications management devices 13, shows shown in Figure 6 visit application picture 60 at job-oriented terminal 20 for job request.That is, when job-oriented terminal 20 conducts interviews, the 131A of job request portion of application status management department 131 makes visit application picture 60 be shown as the Web page at job-oriented terminal 20.
The user name of 61 input application operations in applicant's name zone.When carrying out operation by the people beyond own, the applicant imports the predetermined user name of actual execution operation.The entry name of the operation of 62 input applications in the entry name zone.Be selected to the type of the operating information system of object from genealogical classification zone 63.Select financial information system 64 here.Access interface handling part 133 can be controlled, thereby forbids that this user conducted interviews to the system beyond the selected operating information system in date of application and time.
The title of system name zone 64 expression operating information systems, operation type zone 65 expression operation types.Content input area 66 is the zones that are used for freely describing job content etc.Annex zone 67 is the zones that are used for the additional e-files such as agreement that utilize.Visit target date and 68 expression operation target date and times of time zone.The operator after the input data, clicks application button (button) 69 in the projects shown in the application picture 60.Like this, job-oriented terminal 20 sends to applications management device 13 with the data of input as job request information.
When conducting interviews application; Except applicant's name, entry name, genealogical classification, system name, operation type, content and visit target date with the time; The e-file of the also additional agreement that records actual utilizations etc. can be unified job request information and the e-file that attaches manage thus together.
Fig. 7 is the figure of the demonstration example of expression access authorization picture.
When needing the job request of authorizing, show access authorization picture 70 shown in Figure 7 in authorization terminal 44.That is, when needing the job request of authorizing, the registration detection unit 131B of application status management department 131 notifies application number to authorization terminal 44.If the authorized person visits applications management device 13 after specifying application number, then operation authorization portion 131D makes access authorization picture 70 be shown as the Web page in authorization terminal 44.
The application content of being imported in the 71 expression visit application pictures 60 of application information zone.Authorized person's name zone 72 is the zones that are used to import authorized person's name.Authorizing principal's name zone 73 is the zones that are used to input the user name of delegable.For example, when the user B with authorization privilege entrusted to user C with mandate, user C proxy user B authorized judgement.This is to be used to tackle the user B measure of medium special circumstances on holiday.
In application for example during the maintenance activity of " disconnection operation " such special authority of needs, upgrading user profile is upgraded based on whether authorizing with executive condition information.For example, suppose to break off operation as the application of the operation schedule time with the time period in " 6:00~16:00 " on business day.If be authorized to, then be limited to the date and time of being applied for, applicant's upgrading.For example, suppose " 10:00~11:00 " with business day " on September 28th, 2006 " as operation target date and time, user A has applied for the disconnection operation.If authorize this operation, then only becoming scalable user with user A during shown in operation target date and time.That is, when arrival 10:00 on September 28th, 2006, upgrading processing portion 138 makes user A upgrading, and in the upgrading user profile of validated user information retaining section 122, registers.In addition, when the 11:00 that arrives September 28 perhaps breaks off the end of job, make user A degradation, and from upgrading user profile, delete user A.Thus, in this embodiment, special authority is the authority with time restriction.
Said here special authority also can be so-called super (root) authority or keeper (administrator) authority.That is, so-called scalable user can be after logining with own ID, and what is called " su order " that can be through for example UNIX (registered trademark) etc. is obtained the user of super administrator right.
In addition, can utilize with application, other different access strategy management of licensing process whether give special authority.For example, can be with the operation of following conditions permit operator B: break off operation by operator B application, grantee C au-thorization job, and other authorized person D allows to give special authority to operator B.Supvr and operation authorized person with " special authority " this important authority separates like this, can further strengthen the Information Security of business information protective device 10 thus.
As other examples, can be to detect computer virus in operating information system as the promotion condition of stipulating the user.Perhaps, when the user C with special authority has carried out exceeding the visit of job request scope, can make user C degradation.That is, can carry out upgrade or downgrade and handle ordinance to have taken place as upgrading, degraded conditions at business information protective device 10 or user rs environment 40.The management responsible official also can set upgrading, degraded conditions from the outside to upgrading processing portion 138.Therefore, even in emergency circumstances above-mentioned, also can make appropriate users have upgrading apace under the condition of time restriction.
Fig. 8 is the figure that expression visit application, authority levels are set the demonstration example of picture.
When the access authorization rank of the preset job request information of supvr, show visit application shown in Figure 8, authority levels setting picture 80 in authorization terminal 44.Whether the supvr can through server sets, need application in advance or mandate by each ports-settings on visit application, authority levels setting picture 80.
Agreement, port numbers zone 81 illustrate the port numbers of each agreement.It is to be used to set whether by visit the time, start the zone that user interface etc. provides service automatically that service starts zone 82.Log acquisition zone 83 is the zones that are used to set the full text daily record of whether obtaining job content in full.Access authorization rank zone 84 is zones of setting the authority levels that whether needs application in advance or authorize.
Set picture 80 in visit application, authority levels and be not merely able to set authority levels, can also set between the storage life of summary daily record, between the storage life of daily record in full, during the visit application, screen operation log saving and server state according to each agreement, port numbers.Can from a large amount of access logs that daily record maintaining part 152 is kept, delete unwanted access log thus industriously.
Under the situation of the example of Fig. 8, No. 23 ports of TELNET communication protocol are set to and need application in advance and authorize.The state that need not apply for and authorize when on the other hand, TELNET communication protocol No. 223 ports are set to visit.So also can be the ports-settings that usually utilizes " apply in advance and authorize ", perhaps suppose authorized person in case of emergency not situation, and set only " application in advance ".
Fig. 9 is the figure of the demonstration example of expression access log searching picture.
Access log searching picture 90 shown in Figure 9 is shown in authorization terminal 44 when the authorized person conducts interviews inspection (daily record inspection).Whether the authorized person carries out as the job content that kind of being applied in advance for the accessed content of confirming to permit, and on access log searching picture 90, sets the search condition of the access log of hoping retrieval.Index button 91 is the buttons that are used for carrying out with the search condition that is set the retrieval of access log.When clicking index button 91, the data of expression search condition are sent out to log management apparatus 15.The log management portion 151 of log management apparatus 15 (operation proof department 151B) is based on the data of expression search condition; Extract the access log that daily record maintaining part 152 is registered, extract the operation of applications management device 13 simultaneously and be scheduled to the operation predetermined information that maintaining part 136 is registered.
Figure 10 is the figure of the demonstration example of expression result for retrieval picture.
When clicking the index button 91 of access log searching picture 90, show result for retrieval picture 100 shown in Figure 10 in authorization terminal 44.Promptly; Utilize applications management device 13 and log management apparatus 15 to retrieve and satisfy the access log of authorized person in the search condition of access log searching picture 90 settings; This result for retrieval (access log and operation predetermined information) is sent out to authorization terminal 44, and is presented on the result for retrieval picture 100 by guide look as summary.
In addition, register as key word (key word), then can extract and contain this keyword record line number and record if will be considered to unwanted decretum inhibitorium etc. according to the application content in advance.For example, known when the visit application, under the situation of visit classification application " general ID operation ", if the visit of general ID does not then not only need not send the order that increases the user certainly as obtaining the order of franchise ID and so on yet.So, to " general ID operation ", in advance to be under an embargo or unwanted " SU-" (being used to obtain the order of franchise ID) and " useradd " (increasing order of user) are that key word is registered.Thus, can extract and contain the access log that with good grounds application content is considered to unwanted decretum inhibitorium etc., offer the authorized person, so can find illegal use efficiently.
In addition, if utilize the function of mail notification, then when having carried out meeting the operation of key word, can be to supvr's send Email.Can only just can carry out the daily record inspection efficiently like this through the inspection that conducts interviews.
In addition; Here; Can compare the mode of access log and application content; Shown result for retrieval; But the operation proof department 151B of log management portion 151 also can be based on the data of expression search condition, and the operation predetermined information that the predetermined maintaining part 136 of the operation of applications management device 13 is registered compares with the access log that daily record maintaining part 152 is registered, and detect the maintenance activity applied in above-mentioned operation predetermined information as not meeting of unauthorized access in the visit shown in the above-mentioned log information with the visit of visiting.
[handling] about job request
The job request of here, the operator of job-oriented terminal 20 being carried out is handled and is described.The operator at first is being shown in input ID and password on the login screen shown in Figure 5 50 of job-oriented terminal 20.Job-oriented terminal 20 is along with the customer identification information of being imported is directly visited applications management device 13, and not via relay 11.Applications management device 13 sends customer identification information to user authentication device 12.The authentification of user portion 121 of user authentication device 12 carries out authentification of user with reference to the validated user information of validated user information retaining section 122, under the situation of authentification failure, does not carry out the processing of back.
Under the situation of authentication success, user authentication device 12 is with the result notification applications management device 13 of authentication success.The 131A of job request portion of applications management device 13 will apply for that picture sends to job-oriented terminal 20 with data.Job-oriented terminal 20 shows visit application picture 60 shown in Figure 6.The user is in visit application picture 60 input data, and the data of being imported are sent out to applications management device 13 as job request information.
Whether the job content that the registration detection unit 131B of applications management device 13 is relatively applied for and the executive condition information of executive condition maintaining part 135 are judged and can be registered.If not effective job request, then register detection unit 131B and refuse an application, and will refuse result notification job-oriented terminal 20, and then do not carry out the processing of back.On the other hand, being judged to be is under the situation of effective job request, the registration detection unit 131B maintenance activity that registration is applied in the operation predetermined information of the predetermined maintaining part 136 of operation.If need the operation of mandate, then the 131C of Request Notices portion will ask the Email of mandate to send to authorization terminal 44.
Through above processing, only there is the job request information of the important document that satisfies the effective job request of conduct formally to be registered in the predetermined maintaining part 136 of operation in the job request information as " operation predetermined information ".
[about the operation authorisation process]
Next, the authorisation process of handling the job content of application through job request is described.Authorization terminal 44 after receiving the Email that application has been suggested, visit applications management device 13.The authorized person utilizes random time on login screen shown in Figure 5 50, to import ID and password.In addition, the authorized person also specifies application number when input ID and password.The authorized person's that authorization terminal 44 will be transfused to ID and password send to user authentication device 12.The authentification of user portion 121 of user authentication device 12 obtains ID and password from authorization terminal 44, with reference to the validated user information that validated user information retaining section 122 is registered, carries out authorized person's authentification of user.Under the situation of user authentication failure, do not carry out the processing of back.
Under the situation of authentication success, the operation authorization portion 131D of applications management device 13 is based on the application number that obtains from authorization terminal 44, and the job request information that maintaining part 136 is registered is scheduled in the retrieval operation.The operation authorization portion 131D of applications management device 13 is based on the job request information that retrieves, and HTML (HyperText Markup Language, the HTML) data that will be used for access authorization picture 70 send to authorization terminal 44.Authorization terminal 44 shows and the specified relevant access authorization picture 70 (Fig. 7) of operation of application number.The authorized person confirms access authorization picture 70, and clicks when authorizing button 75 or refusal button 76, and the data that are transfused to are sent to applications management device 13.The operation authorization portion 131D of applications management device 13 is according to whether authorizing the more operation predetermined information of the predetermined maintaining part 136 of new job.Whether operation authorization portion 131D notice job-oriented terminal 20 can authorize.
Through above processing the operation of live application is authorized.In addition, when the authorized person visited applications management device 13, applications management device 13 guide look showed job request to be authorized, and the authorized person can be the user interface from job request of wherein being selected to authorization object and so on.In addition, also can authorize blanketly or refuse a plurality of job requests.
[handling] about Telnet
Next explain the Telnet of operating information system is handled.The operator at first visits relay 11 from job-oriented terminal 20.The IP address of the job-oriented terminal 20 that relay 11 is confirmed to conduct interviews judges whether to allow to connect, and connects being judged as unallowed situation incision disconnection.On the other hand, allow under the situation of job-oriented terminal 20 connections, relay 11 is asked customer identification informations (ID and password) with the form that is suitable for agreement to job-oriented terminal 20.Job-oriented terminal 20 shows login screen 50 (Fig. 5), and accepts the ID and the password of operator's input.ID that job-oriented terminal 20 will be transfused to and password send to relay 11.
Under the situation of authentication success, relay 11 is to job-oriented terminal 20 request input reference destinations.The visit destination of operator input accepted in job-oriented terminal 20, and the information (IP address and host name etc.) that will represent to visit the destination sends to relay 11.Relay 11 will send to access right management devices 14 from the information of the expression visit destination that job-oriented terminal 20 receives.The access right authentication department 141 of access right management devices 14 with reference to the visit application situation that access right information retaining section 142 is registered, confirms the access right of this user to the visit destination based on the information of expression visit destination.When access right authentication department 141 is judged as unaccommodated visit, refuse the visit of this user to the visit destination.On the other hand, be judged as when being fit to visit, allow the visit of this user the visit destination.And when all judgements all were sure, the operator can visit the operating information system of the object that becomes maintenance activity.
Through above processing, when operating information system is carried out Telnet, if be judged as unauthorized access, login failure then, thus can disable access.
[about upgrading, degradation determination processing]
Next, the user's who upgrading processing portion 138 is carried out upgrading, degradation are handled and are described.The upgrading processing portion 138 of applications management device 13 judges whether there is the user that should upgrade from the predetermined maintaining part 136 reading operation predetermined informations of operation.For example, user A, and is authorized to as operation target date and time application breaking off operation with " 10:00~11:00 " on business day " on September 28th, 2006 ".At this moment, if arrive the 10:00 on September 28th, 2006, upgrading processing portion 138 upgrading user A then.Upgrading processing portion 138 sends to user authentication device 12 with scalable user's customer identification information, and in the upgrading user profile of validated user information retaining section 122 registered user A.
In addition, upgrading processing portion 138 judges in the operation predetermined information whether have the user that should demote.Under the situation of above-mentioned example, if arrive the 11:00 on September 28th, 2006, user A then demotes.The user's that upgrading processing portion 138 should demote customer identification information sends to user authentication device 12, and from the upgrading user profile of validated user information retaining section 122, deletes user A.
As above processing, utilize the special authority that has time restriction, can further improve the Information Security of operating information system.The user can carry out the special authority of own explicit request after the Telnet, still, with which kind of conditions permit upgrading, can be judged this based on the promotion condition of regulation by upgrading processing portion 138.
In addition, for above-mentioned job request processing, operation authorisation process, login process, the upgrading to operating information system, the detailed description of degradation determination processing, opening as the spy and to be put down in writing in 2008-117361 communique etc., is technique known.
[handling] about access checking
Next, the process flow diagram with reference to Figure 11 describes the access checking processing.The authorized person is in order to confirm whether the content that allows to visit is to carry out according to the job content of being applied in advance, and access checking (daily record inspection) is carried out in the input part at use authority terminal 44 (not shown) indication.
In step S1, authorization terminal 44 shows access log searching picture 90 shown in Figure 9 based on the indication from the authorized person.The authorized person sets the search condition of the access log of hoping retrieval on access log searching picture 90.In step S2, authorization terminal 44 is accepted the input of the search condition of the access log that is set by the authorized person.And when clicking index button 91, in step S3, the search condition data that authorization terminal 44 will have been accepted the access log of input send to log management apparatus 15.
In step S4; The operation proof department 151B of log management apparatus 15 is when authorization terminal 44 receives the search condition data; From the predetermined maintaining part 136 of the operation of applications management device 13 read with the search condition data the contained corresponding operation predetermined information of application number; And read the access log of binding with application number from daily record maintaining part 152, and the two is checked, whether inspection is illegal visit.For example, as stated, carrying out when being the job request of purpose, when the rewriting of carrying out file is handled, becoming unauthorized access with " running monitoring ".In step S5, operation proof department 151B reads the access log that meets search condition from daily record maintaining part 152, and gives authorization terminal 44 with it as the access checking result notification.
In step S6, authorization terminal 44 shows result for retrieval picture 100 shown in Figure 10 based on the access checking result who receives from log management apparatus 15.In addition; Be that key word is registered in advance to be considered to unwanted decretum inhibitorium according to the application content; And retrieve under the situation of the access log that meets key word the record line number and the record that meet key word that can utilize the mail notification supvr to retrieve.
[effect of working of an invention mode]
As stated, except authentification of user, also apply for judging in this embodiment, prevent unauthorized access easily so it constitutes.Only carry out under the situation of authentification of user, the leakage of customer identification information is directly connected to the information leakage from operating information system easily.But, because business information protective device 10 also requires the job request formality, so the leakage of customer identification information is difficult for being directly connected to unauthorized access.Reason is, even the disabled user has temporarily illegally obtained customer identification information, also easily the operating information system visit that will carry out false job request degree is applied psychology and suppresses.
In addition, even for the SE of legal management company, also realized the framework of a kind of restriction to the visit of user rs environment 40.As stated, because the application of operation or authorize goes on record as daily record, so carry out access checking afterwards easily.Therefore, also has the advantage that easy proof self system and specification meet (compliance) for client enterprise.Utilize such characteristic, " enhancing of internal unity management " that business information protective device 10 can help the SOX bill to require.
The job content of application is when being not suitable for executive condition information, and the intention notice that registration detection unit 131B is queried the application of being carried out is given authorization terminal 44, perhaps also temporary transient this customer identification information of ineffective treatment.Through making registration detection unit 131B carry out such job request inspection, can refuse illegal job request automatically.And, not only need apply for the maintenance activity that also need authorize owing to can also define, so can further improve Information Security.
When execution needs the maintenance activity of special authority, also can make when business information protective device 10 can unified management authorize special authority for which kind of user through special authority is provided with time restriction.
Usually, for maintenance activity, confirm to carry out timetable in advance.In this embodiment, through carrying out prior job request and mandate at any time, can under the state that operator and authorized person is not applied excessive psychological burden, realize the security management of operating information system.
Business information protective device 10 can also the record access daily record.In addition, log management portion 151 can check whether the content of job request and actual job content occur inconsistent.Therefore, after visit is allowed to, can check easily also whether unauthorized access takes place afterwards.
Like this, business information protective device 10 protects operating information system from following many aspects.
1. authentification of user
2. executive condition and by the adaptive judgement of the job content applied for
3. the application during Remote Login request is judged
4. Remote Login request date and time and operation target date of being applied for and the comparison of time
5. the judgement relevant with special authority
6. the unauthorized access based on access log detects
In addition, business information protective device 10 can unified management to the visit of a plurality of operating information systems.Therefore be suitable for unified access strategy to a plurality of operating information systems easily.And, also have the operating information system of having been moved for, only through increasing the advantage that business information protective device 10 just can be realized.
More than be that example is illustrated with " maintenance activity ", but the present invention is not limited to this, for example, under the situation that the office worker conducts interviews from the place of going out, also can be suitable for.
Above-mentioned a series of processing can be carried out through hardware, also can pass through software executing.When utilizing a series of processing of software executing, can be installed to the computing machine that is combined into the specialized hardware from the program that program recorded medium will constitute this software or through installing in the for example general personal computer that various programs can carry out various functions etc.
The present invention is not limited to the described that kind of above-mentioned embodiment; Can the implementation phase in the scope that does not break away from its main idea through the modification technical characterictic and it is specialized; Perhaps appropriate combination is implemented disclosed a plurality of technical characterictics in the embodiment, thereby forms various inventions.For example, can from all inscapes shown in the embodiment, delete several inscapes.And, the inscape in can the appropriate combination different embodiment.
Claims (6)
1. a business information protective device is characterized in that having
The validated user information holding device, it keeps registration that the validated user information of the validated user of executable system predetermined processing is arranged;
Application receiving trap, its reception are used to apply for specifying visit other subscribers and the application information of carrying out said predetermined processing;
Predetermined holding device, its maintenance make said predetermined processing and the corresponding predetermined information of being applied for of said visit other subscribers;
Carry out the request receiving trap, it receives the customer identification information of confirming the visitor from the terminal when carrying out said predetermined processing;
User authentication device, it judges with reference to said validated user information whether said visitor is registered as validated user;
The application status decision maker, it judges with reference to said predetermined information whether said visitor is made as the predetermined processing of visiting other subscribers carried out application;
Access control apparatus all is to judge certainly as condition with the judgement of said user authentication device and the judgement of said application status decision maker, allows from said terminal the extremely visit of said system to carry out predetermined processing;
Log recording apparatus, it will be recorded as log information by the access history of said terminal to said system; With
Demo plant; It contrasts the visit shown in the said log information and is the visit of carrying out the predetermined processing that quilt is applied in the said predetermined information; Detect in the visit shown in the said log information, with the inconsistent visit of visit for the predetermined processing of carrying out in the said predetermined information being applied for, as unauthorized access.
2. business information protective device according to claim 1 is characterized in that also having:
The Request Notices device is notified the contents processing of being applied for to the authorized person of predetermined processing application; With
Authorize to obtain device, it accepts the mandate input from said authorized person,
Said predetermined holding device also makes the predetermined processing of being applied for remain said predetermined information accordingly with its licensing status,
Said application status decision maker judges that also whether the predetermined processing of being applied for is through authorizing.
3. business information protective device according to claim 1 and 2 is characterized in that,
Execution date and the time that said application status decision maker is also judged predetermined processing whether during being applied in.
4. according to each described business information protective device in the claim 1~3, it is characterized in that also having:
The executive condition holding device, it keeps the executive condition information of the executive condition of definition regulation processing; With
Apply for registration of decision maker, conforming to said executive condition information with the contents processing of being applied for is condition, and the predetermined processing that will be applied for is registered in the said predetermined information.
5. business information protective device according to claim 4 is characterized in that,
Said validated user information holding device also keeps representing obtaining the user's of the special authority different with common user right upgrading user profile,
Whether said application status decision maker is that the user that can obtain special authority judges to the visitor also specifying special authority as for the executive condition of the predetermined processing of being applied for the time.
6. business information protective device according to claim 5 is characterized in that also having:
The promotion condition setting device is accepted the setting input of promotion condition that expression can obtain the condition of special authority; With
The upgrading calling mechanism, when said promotion condition was set up, the user that will become the promotion condition object was registered in the said upgrading user profile.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110081078.7A CN102693373B (en) | 2011-03-25 | 2011-03-25 | Business information preventer |
| CN201610822526.7A CN107103216B (en) | 2011-03-25 | 2011-03-25 | Service information protection device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110081078.7A CN102693373B (en) | 2011-03-25 | 2011-03-25 | Business information preventer |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610822526.7A Division CN107103216B (en) | 2011-03-25 | 2011-03-25 | Service information protection device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102693373A true CN102693373A (en) | 2012-09-26 |
| CN102693373B CN102693373B (en) | 2016-11-16 |
Family
ID=46858801
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110081078.7A Active CN102693373B (en) | 2011-03-25 | 2011-03-25 | Business information preventer |
| CN201610822526.7A Active CN107103216B (en) | 2011-03-25 | 2011-03-25 | Service information protection device |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610822526.7A Active CN107103216B (en) | 2011-03-25 | 2011-03-25 | Service information protection device |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN102693373B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105592027A (en) * | 2014-11-18 | 2016-05-18 | 苏州慧盾信息安全科技有限公司 | Security protection system and method for preventing drag of DNS |
| CN106778345A (en) * | 2016-12-19 | 2017-05-31 | 网易(杭州)网络有限公司 | The treating method and apparatus of the data based on operating right |
| CN110503334A (en) * | 2019-08-23 | 2019-11-26 | 行吟信息科技(上海)有限公司 | A kind of state machine control method and system |
| CN112602085A (en) * | 2018-09-03 | 2021-04-02 | 株式会社日立高新技术 | Display device, information terminal, method for protecting personal information, program, and recording medium containing the program |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102693373B (en) * | 2011-03-25 | 2016-11-16 | 株式会社野村综合研究所 | Business information preventer |
| JP6691085B2 (en) * | 2017-09-20 | 2020-04-28 | ファナック株式会社 | Application security management system and edge server |
| JP7362372B2 (en) * | 2019-09-05 | 2023-10-17 | 日立チャネルソリューションズ株式会社 | Remote maintenance system and remote maintenance method for banknote processing system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6151664A (en) * | 1999-06-09 | 2000-11-21 | International Business Machines Corporation | Programmable SRAM and DRAM cache interface with preset access priorities |
| CN1410899A (en) * | 2001-09-27 | 2003-04-16 | 株式会社东芝 | Server computer protector, method, program product and server computer device |
| CN1467642A (en) * | 2002-07-09 | 2004-01-14 | ��ʿͨ��ʽ���� | Data protection program and data protection method |
| CN1564255A (en) * | 2004-03-24 | 2005-01-12 | 华中科技大学 | Digital memory media protecting method based on online controlled access tech, and its system |
| JP2005189969A (en) * | 2003-12-24 | 2005-07-14 | Kureo:Kk | Data backup program, data backup method, portable terminal and data backup device |
| CN101379537A (en) * | 2006-02-06 | 2009-03-04 | 松下电器产业株式会社 | Secure processing device, method and program |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7568107B1 (en) * | 2003-08-20 | 2009-07-28 | Extreme Networks, Inc. | Method and system for auto discovery of authenticator for network login |
| CN1630252A (en) * | 2003-12-16 | 2005-06-22 | 华为技术有限公司 | Broadband IP access equipment and method for realizing user log in same equipment |
| JP4630800B2 (en) * | 2005-11-04 | 2011-02-09 | キヤノン株式会社 | Print management system, print management method and program |
| CN101170409B (en) * | 2006-10-24 | 2010-11-03 | 华为技术有限公司 | Method, system, service device and certification server for realizing device access control |
| US7987357B2 (en) * | 2007-11-28 | 2011-07-26 | Red Hat, Inc. | Disabling remote logins without passwords |
| CN101599977B (en) * | 2009-07-17 | 2012-04-18 | 杭州华三通信技术有限公司 | Method and system for managing network service |
| CN102693373B (en) * | 2011-03-25 | 2016-11-16 | 株式会社野村综合研究所 | Business information preventer |
-
2011
- 2011-03-25 CN CN201110081078.7A patent/CN102693373B/en active Active
- 2011-03-25 CN CN201610822526.7A patent/CN107103216B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6151664A (en) * | 1999-06-09 | 2000-11-21 | International Business Machines Corporation | Programmable SRAM and DRAM cache interface with preset access priorities |
| CN1410899A (en) * | 2001-09-27 | 2003-04-16 | 株式会社东芝 | Server computer protector, method, program product and server computer device |
| CN1467642A (en) * | 2002-07-09 | 2004-01-14 | ��ʿͨ��ʽ���� | Data protection program and data protection method |
| JP2005189969A (en) * | 2003-12-24 | 2005-07-14 | Kureo:Kk | Data backup program, data backup method, portable terminal and data backup device |
| CN1564255A (en) * | 2004-03-24 | 2005-01-12 | 华中科技大学 | Digital memory media protecting method based on online controlled access tech, and its system |
| CN101379537A (en) * | 2006-02-06 | 2009-03-04 | 松下电器产业株式会社 | Secure processing device, method and program |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105592027A (en) * | 2014-11-18 | 2016-05-18 | 苏州慧盾信息安全科技有限公司 | Security protection system and method for preventing drag of DNS |
| CN105592027B (en) * | 2014-11-18 | 2019-10-22 | 慧盾信息安全科技(苏州)股份有限公司 | A kind of security protection system and method for preventing dragging library for DNS |
| CN106778345A (en) * | 2016-12-19 | 2017-05-31 | 网易(杭州)网络有限公司 | The treating method and apparatus of the data based on operating right |
| CN106778345B (en) * | 2016-12-19 | 2019-10-15 | 网易(杭州)网络有限公司 | The treating method and apparatus of data based on operating right |
| CN112602085A (en) * | 2018-09-03 | 2021-04-02 | 株式会社日立高新技术 | Display device, information terminal, method for protecting personal information, program, and recording medium containing the program |
| CN110503334A (en) * | 2019-08-23 | 2019-11-26 | 行吟信息科技(上海)有限公司 | A kind of state machine control method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107103216A (en) | 2017-08-29 |
| CN102693373B (en) | 2016-11-16 |
| CN107103216B (en) | 2020-08-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109831327B (en) | IMS full-service network monitoring intelligent operation and maintenance support system based on big data analysis | |
| US10764290B2 (en) | Governed access to RPA bots | |
| JP5789390B2 (en) | Business information protection device, business information protection method, and program | |
| CN100596361C (en) | Safety protection system of information system or equipment and its working method | |
| CN102693373A (en) | Service information protective device | |
| US20090300712A1 (en) | System and method for dynamically enforcing security policies on electronic files | |
| US9712536B2 (en) | Access control device, access control method, and program | |
| CN104718526A (en) | Secure mobile framework | |
| US20080163367A1 (en) | System and method for controlling web pages access rights | |
| JP2008117316A (en) | Business information protection device | |
| JP2005234729A (en) | Unauthorized access protection system and its method | |
| JP2008117317A (en) | Business information protection device | |
| JP5952466B2 (en) | Business information protection device, business information protection method, and program | |
| CN111652454A (en) | Supervision quality and safety production management evaluation management system | |
| Grance et al. | Security guide for interconnecting information technology systems | |
| Dimov et al. | Result oriented time correlation between security and risk assessments, and individual environment compliance framework | |
| JP2006079228A (en) | Access management device | |
| CN108600178A (en) | A kind of method for protecting and system, reference platform of collage-credit data | |
| Photopoulos | Managing catastrophic loss of sensitive data: A guide for IT and security professionals | |
| JP2018152091A (en) | Business information protection device, business information protection method, and program | |
| JP2020095750A (en) | Business information protection device, business information protection method, and program | |
| JP2016173851A (en) | Business information protection device, business information protection method, and program | |
| Gayash et al. | SQUARE-lite: Case study on VADSoft project | |
| Βλαχάκης | GDPR, from theory to practice. Development of a minimum basic data protection system for public and private sector entities | |
| Le Grand et al. | Database access, security, and auditing for PCI compliance |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |