CN107103216B - Service information protection device - Google Patents

Service information protection device Download PDF

Info

Publication number
CN107103216B
CN107103216B CN201610822526.7A CN201610822526A CN107103216B CN 107103216 B CN107103216 B CN 107103216B CN 201610822526 A CN201610822526 A CN 201610822526A CN 107103216 B CN107103216 B CN 107103216B
Authority
CN
China
Prior art keywords
application
information
access
user
job
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610822526.7A
Other languages
Chinese (zh)
Other versions
CN107103216A (en
Inventor
池浦规之
盛永谦一郎
桥本淳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nomura Research Institute Ltd
Original Assignee
Nomura Research Institute Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nomura Research Institute Ltd filed Critical Nomura Research Institute Ltd
Priority to CN201610822526.7A priority Critical patent/CN107103216B/en
Publication of CN107103216A publication Critical patent/CN107103216A/en
Application granted granted Critical
Publication of CN107103216B publication Critical patent/CN107103216B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a business information protection device which can improve the information security of a business information system and easily manage the access rule of the business information system. If the job application is valid, the registration determination unit (131B) assigns an application number for uniquely identifying the job. A job scheduling information holding unit (136) holds job scheduling information that is formally registered by the registration determination unit (131B). A log holding unit (152) binds and holds the application number given by the registration determination unit (131B) and an access log of the job application content corresponding to the application number. A job verifying unit (151B) compares the content of the access log of the log holding unit (152) with job scheduling information of the job scheduling holding unit (136) corresponding to the application number to which the access log is bound, and checks whether or not the access log is an unauthorized access.

Description

Service information protection device
The present application is a divisional application with application number 201110081078.7, application date 2011.03.25, and title of the invention "service information protection device".
Technical Field
The present invention relates to a service information protection device, and more particularly, to a service information protection device capable of improving information security of a service information system.
Background
Business information systems, so-called enterprise systems (enterprise systems), which support the operation of enterprises, public facilities, and the like, have now become the foundation of various organizations of sizes. The service information system supports complex organization and management by aggregating, accumulating, analyzing, and processing data obtained from a terminal node (node) or a database, and outputting information with a higher added value on the basis of the aggregated, accumulated, analyzed, and processed data.
Such a service information system also needs various maintenance operations such as operation monitoring, trouble-shooting, function expansion, and function change after operation. In general, a customer enterprise introducing a business information system entrusts the maintenance work to an external management company. In many cases, an SE (System Engineer) of a management company remotely registers a service information System and performs maintenance work.
In recent years, the SOX (Sarbanes-Oxley) act passed through the united states strongly requires that business operators or account monitors guarantee the legitimacy of public information. Since japan also intends to introduce the japanese SOX method in conformity with this method, it is urgent to establish the posture of the japanese SOX method.
In view of such a social background, patent document 1 proposes a technique relating to an access rule (access rule) that is conditioned on authorized access by an administrator in addition to user authentication based on an ID and a password.
[ Prior art documents ]
[ patent document ]
[ patent document 1 ] Japanese patent application laid-open No. 2004-213475
Disclosure of Invention
The access rule described in patent document 1 is an effective method for preventing unauthorized access to the service information system, but requires a manager to immediately respond to a job application, which imposes a heavy burden. That is, it is inherently important to establish an access rule that easily prevents information leakage, but there is a problem that the burden on the user must be taken into consideration in order to suppress the occurrence of human error.
In addition, the business information system introduced by the enterprise is not limited to a single system. For example, a business may introduce a financial system and a customer system separately, or may incorporate these systems into a more up-front system. In such an enterprise that operates a plurality of business systems, an architecture that can improve the information security of each business information system and easily manage the access rules thereof is also required.
The invention aims to provide a service information protection device capable of improving information security in a service information system.
One aspect of the present invention is characterized by comprising: a legitimate user information holding means for holding legitimate user information of a legitimate user in which a prescribed process of the system is registered; an application receiving means that receives application information for applying for specifying an access subscriber and executing the prescribed processing; a reservation holding device that holds reservation information corresponding to the prescribed process applied and a person who accesses the reservation; an execution request receiving unit that receives user identification information for specifying a visitor from a terminal when the predetermined process is executed; a user authentication device that determines whether or not the visitor is registered as a valid user, with reference to the valid user information; an application state determination device for referring to the predetermined information and determining whether or not the predetermined processing by the visitor for the person who is scheduled to visit has been applied; an access control device that permits access from the terminal to the system to perform a predetermined process, on condition that both the determination by the user authentication device and the determination by the application state determination device are affirmative determinations; a log recording device which records an access history from the terminal to the system as log information; and an authentication device that compares the access indicated by the log information with an access for performing a predetermined process applied to the predetermined information, and detects, as an unauthorized access, an access that does not match the access for performing the predetermined process applied to the predetermined information, among the accesses indicated by the log information.
Further comprising: an application notification device that notifies an authorizer who specifies a processing application of the requested processing content; and an authorization acquisition device that accepts an authorization input from the authorizer, wherein the reservation holding device further holds the requested predetermined process and the authorization status thereof as the predetermined information in association with each other, and the application status determination device is further capable of determining whether the requested predetermined process is authorized.
The application state determination device may further specify whether or not the execution date and time of the process is within the application period.
The method may further include: an execution condition holding means for holding execution condition information defining an execution condition of a prescribed process; and an application registration determination device that registers the applied predetermined process in the predetermined information on the condition that the applied process content matches the execution condition information.
The valid user information holding means also holds upgrade user information indicating a user who can obtain a special authority different from a normal user authority, and the application state determination means also determines whether or not the visitor is a user who can obtain the special authority when the special authority is specified as an execution condition for the prescribed process being applied.
The invention can provide a service information protection device which can improve the information security of a service information system.
Drawings
Fig. 1 is a block diagram showing a configuration example of a service information system according to the present embodiment.
Fig. 2 is a block diagram showing an example of a functional configuration of the service information guard device.
Fig. 3 is a diagram showing an example of the data structure of the execution condition information in the execution condition holding unit.
Fig. 4 is a diagram showing an example of the recording content of the access log held by the log holding unit.
Fig. 5 is a diagram showing an example of display of the login screen.
Fig. 6 is a diagram showing an example of display of an access application screen.
Fig. 7 is a diagram showing an example of display of the access authorization screen.
Fig. 8 is a diagram showing an example of display of an access application/authorization level setting screen.
Fig. 9 is a diagram showing an example of display of the access log search screen.
Fig. 10 is a diagram showing an example of display of a search result screen.
Fig. 11 is a flowchart for explaining the access check processing.
Description of the symbols
10 service information protection device
11 Relay device
12 login interface processing unit
12 user authentication device
13 application management device
20 work terminal
40 customer environment
41 financial information system
42 customer information system
43 inventory management system
44 authorization terminal
121 user authentication unit
122 legal user information holding unit
131 application state management unit
131A job application part
131B registration determination unit
131C application notification unit
131D work authorization part
132 application state determination unit
133 access interface processing section
135 execution condition holding unit
136 work schedule holding section
138 upgrade processing part
151 log management part
152 log holding unit
151A log recording part
151B work verification unit
Detailed Description
[ Structure of Business information System ]
Fig. 1 is a diagram showing an example of the configuration of a service information system according to the present embodiment. In the service information system shown in the figure, a service information guard device 10 and a work terminal 20 are connected via a network 30, and a client environment 40 is connected to the network 30 via the service information guard device 10. In addition, the log management device 15 is also connected to the service information guard device 10.
In the business information system shown in fig. 1, the client environment 40 represents the business environment of a certain enterprise a. The various business systems of the customer environment 40 also receive appropriate maintenance work after operation. The maintenance work is sometimes performed in the customer environment 40, but is usually performed by remote access from the work terminal 20. The user who performs the remote maintenance work is simply referred to as an "operator" hereinafter. The worker is usually most often se (systems engineer) of a management company that has made a maintenance work contract with the enterprise a. The worker operates the work terminal 20 and remotely logs in various business information systems of the client environment 40 through the network 30 and the business information guard 10. A communication path between work terminal 20 and service information guard 10 is preferably a secure communication path using a VPN (Virtual Private Network) or the like.
In the following, the network 30 is explained on the premise of remote access via a public line such as the internet or a Local Area Network (LAN), but the service information guard 10, the client environment 40, and the work terminal 20 may be connected to each other by a private line.
In the present specification, the term "client enterprise" or "client environment 40" is used for an enterprise that executes an organization business by operating various business information systems, and means a client that receives a maintenance work service from an external work terminal 20.
The service information guard 10 is a device that collectively receives a telnet request transmitted from the work terminal 20 to the client environment 40, and is provided at a network security interface. The service information protection device 10 performs access control of communication protocols such as TELNET (telecommunications network), SSH (Secure Shell), FTP (File Transfer Protocol), HTTP (HyperText Transfer Protocol), HTTPs (HyperText Transfer Protocol Security), windows rdp (Remote desktop Protocol), CIFS (Common Internet File System), and check of acquired logs (described in detail later).
The service information guard 10 allows remote login from the job terminal 20 on condition that the following two-stage determination is an affirmative determination.
1. Whether or not the worker is a user registered in advance (hereinafter referred to as "user authentication")
2. Whether or not the worker has previously (accurately) requested to perform the maintenance work (hereinafter referred to as "request determination")
The service information guard device 10 includes a relay device 11, a user authentication device 12, an application management device 13, and an access right management device 14. The service information guard device 10 may be a single device in which the functions of the relay device 11, the user authentication device 12, the application management device 13, and the access right management device 14 are integrated, but in the present embodiment, a case where the service information guard device 10 is an aggregate of these three devices will be described for the following reason.
In general, the system configuration is generally as follows: an operator remotely logs in from a terminal to a terminal server, and allows access to a service information system on the condition that the terminal server performs user authentication. In the present embodiment, in addition to such a system (conventional system), the user authentication device 12, the application management device 13, and the access right management device 14 are introduced, thereby achieving improvement of information security by application determination. That is, the relay device 11 shown in fig. 1 may be an existing terminal server, and a case where the relay device 11 is a general PC (personal computer) terminal to which WINDOWS (registered trademark) is attached will be described below.
When the relay device 11 is accessed by the work terminal 20 via the network 30, the relay device 11 checks the IP address, host name, and the like of the work terminal 20, and immediately disconnects the work terminal 20 when the work terminal is other than the connection permission target, and does not permit the connection. On the other hand, when the work terminal 20 is the connection permission target, the relay device 11 requests the work terminal 20 to provide the user ID and the password, and provides the user ID and the password transmitted in accordance with the request to the user authentication device 12, the application management device 13, and the access right management device 14 to request confirmation.
The user authentication device 12 performs "user authentication" in place of the relay device 11. First, the user of work terminal 20 remotely logs in to relay device 11 as in the conventional case. At this time, the user ID and the password are transmitted to the relay apparatus 11 through the network 30. The user authentication device 12 receives the user ID and the password from the relay device 11, performs user authentication, and returns the result to the relay device 11.
The application management device 13 receives the user ID and the password from the relay device 11 and executes "application determination". The operator must apply in advance when to schedule what job to perform before remotely logging into the business information system. The application management device 13 manages such job schedules collectively, and confirms whether or not the worker has previously applied for a certain maintenance job when receiving a remote login request from the worker. The condition for allowing access to the service information system is that the user authentication is successful and that a job has been applied.
The access right management device 14 performs "access right authentication" in place of the relay device 11. That is, the access right management apparatus 14 receives the user ID and the password and information indicating the access destination (IP address, host name, and the like) from the relay apparatus 11, performs authentication as to whether or not the user is allowed to connect to the access destination (whether or not there is an access right), and returns the result to the relay apparatus 11.
The relay device 11, the user authentication device 12, the application management device 13, and the access right management device 14 are each configured by two servers, a primary server and a secondary server, and have a failover (failover) function. That is, when the primary server fails for some reason, the IP address of the primary server is added to the secondary server. Specifically, the main server and the subsidiary server have a real IP and a virtual IP, respectively, and therefore, when the subsidiary server monitors the main server and detects an abnormality, the virtual IP of the main server is acquired. Since the worker can access the virtual IP, the worker automatically changes the access to the main branch server to the access to the sub-branch server when an abnormality occurs. Thus, the worker can continue the service using the sub-branch server without being aware of the failure of the main branch server.
The following 5 points are listed as main advantages of the service information guard 10 of the present embodiment.
1. Since the application judgment is carried out in addition to the user authentication, the information security of the service information system is enhanced.
2. And the method is easy to be imported into the service information system which is already operated.
3. The load on the user associated with the application decision can be reduced.
4. A single service information protection device 10 can be used for uniformly managing a plurality of service information systems.
5. Since the application content and the access log are bound, access checking is easy.
The log management device 15 acquires and manages access contents performed in the relay device 11. For example, a "summary log" of access date and time or IP address or a "full text log" of transceived data is acquired and managed.
The log management device 15 binds and manages the job application content managed by the application management device 13 and the access log managed by the log management device 15, and therefore, access check can be easily performed. The access check is a log in which an access log is searched and whether or not an access requested is being performed.
When a user ID and a password for remotely logging in the client environment 40 are input by the worker, the worker transmits the user ID and the password as a remote login request to the service information guard 10 via the network 30.
The client environment 40 includes three business information systems, a financial information system 41, a customer information system 42, an inventory management system 43, and one or more authorization terminals 44. The financial information system 41 is a system for managing financial information of the enterprise a. The customer information system 42 is a system for managing customer information of the enterprise a. The inventory management system 43 is a system for managing the inventory status of the products of the enterprise a. The authorization terminal 44 is a general PC terminal installed with a Web browser. The authorization terminal 44 does not necessarily belong to the client environment 40, and may be a portable terminal such as a notebook computer.
Fig. 2 is a block diagram showing an example of the functional configuration of the service information guard 10 and the log management device 15.
The blocks shown in fig. 2 may be implemented by hardware, by an element including a CPU of a computer, or by a mechanical device, and may be implemented by a computer program or the like, or software, but here, the blocks shown in fig. 2 represent functional blocks implemented by a combination of hardware and software. Accordingly, these functional blocks can be implemented in various forms using a combination of hardware and software.
A: relay device 11
The login interface processing unit 111 of the relay device 11 receives a remote login request from the work terminal 20. The telnet request includes a user ID and a password. The relay device 11 transmits the received user ID and password, performs user authentication processing by the user authentication device 12, application determination processing by the application management device 13, and access right authentication processing by the access right management device 14. When information (such as an IP address and a host name) indicating an access destination is acquired from the work terminal 20, the login interface processing unit 111 transmits the acquired information, and performs an access right authentication process by the access right management device 14. The login interface processing unit 111 receives the determination results from the user authentication device 12, the application management device 13, and the access right management device 14. Data for identifying a user like a user ID or a password is hereinafter referred to as "user identification information". As a modification, the user identification information may be biometric information such as a fingerprint and an iris.
The relay device 11 may not be a separate device. For example, there may be a relay device 11 for the financial information system 41 and a relay device 11 for the customer information system 42, respectively. Alternatively, the operator may access the target business information system through any relay device 11 among the plurality of relay devices 11. In view of load distribution and efficiency, it is preferable to provide a plurality of relay devices 11. Similarly, a plurality of user authentication devices 12, application management devices 13, and access right management devices 14 may be provided in view of load distribution and availability.
B: user authentication device 12
The user authentication device 12 includes a user authentication unit 121 and a valid user information holding unit 122. When the login interface processing unit 111 of the relay apparatus 11 receives the remote login request, the user authentication unit 121 acquires the user ID and the password from the login interface processing unit 111. Then, it is determined whether or not the user of the transmission source is registered as a legitimate user in the legitimate user information holding unit 122, and user authentication is performed. The valid user information holding unit 122 holds valid user information in which the user ID and the password are associated with each other. The user registered in the legitimate user information is referred to as a "legitimate user". The user authentication unit 121 performs user authentication not only for the worker but also for the authorizer, and will be described in detail later. The user information holding unit 122 is installed inside the user authentication apparatus 12, but is not limited to this, and may be an external apparatus such as an LDAP (Lightweight directory access Protocol) server, for example.
In the maintenance work performed on the service information system, there is also a work such as a disconnection (release) work which has a particularly large influence on the service information system. In order to perform such maintenance work, access by the same user authority as that of the administrator is required, instead of access by the usual user authority. However, it is not preferable to easily give such a special user authority (hereinafter, simply referred to as "special authority") from the viewpoint of improving the information security of the service information system. The detailed architecture is described later, but the service information guard 10 can strictly manage users in a state where the special right can be acquired (hereinafter referred to as "upgradable users"). The valid user information holding unit 122 holds upgrade user information indicating an upgradable user in addition to the valid user information. The user that is registered in the upgrade user information as an upgradable user is called "upgrade", and the user that is no longer upgradable is called "downgrade" and is deleted from the upgrade user information.
The user authentication device 12 of the present embodiment is a single device, and manages user identification information collectively. By performing user authentication for connecting a plurality of business information systems and a plurality of relationship persons by using a single user authentication device 12, a configuration is formed in which user authentication policy (policy) is easily managed.
C: application management device 13
The application management device 13 includes an application state management unit 131, an application state determination unit 132, an access interface processing unit 133, an execution condition holding unit 135, a job scheduling holding unit 136, and an upgrade processing unit 138.
In order to access the business information system, the worker must request execution of a maintenance operation in advance. The application state management unit 131 performs processing related to the application of the job. The application state management unit 131 includes a job application unit 131A, a registration determination unit 131B, an application notification unit 131C, and a job authorization unit 131D.
Before starting the work, the worker transmits work application information to the application management device 13 through the work terminal 20. The job application information is a set of input data such as a job destination, a job date and time, a project name, and a system name to be accessed, but may include additional information other than the input data such as a mail address of an applicant, an application date and time, and an IP address of an applicant. The job application information is transmitted from the job terminal 20, but the present invention is not limited to this, and may be transmitted from an application terminal (not shown) different from the job terminal 20, for example.
The job application unit 131A receives job application information from the job terminal 20.
The registration determination section 131B determines whether or not the job application information received by the job application section 131A matches execution condition information (described later with reference to fig. 3) registered in the execution condition holding section 135. When the registration determination unit 131B determines that the job application information does not match the execution condition information, it rejects the application and notifies the operator of the work terminal 20 of the result. When the registration determination unit 131B determines that the job application information matches the execution condition information, the requested job is registered in the job scheduling information of the job scheduling holding unit 136. The job application registered in the job scheduling information is referred to as a "valid job application". The content of the job reservation information and the content of the job application information may be substantially the same. That is, of the received job application information, only job application information satisfying the requirement as a valid job application is formally registered as "job scheduling information" in the job scheduling holding unit 136.
If the job application is valid, the registration determination unit 131B assigns an application number (job ID) for uniquely identifying the job. The application number, the scheduled job date and time, the job content, the name of the worker, the authorization status, and the like are associated with the job scheduling information.
There are not only maintenance works of the type in which work can be started as long as a valid work application is made, but also maintenance works of the type in which work cannot be started without being authorized. As part of the execution condition information, it can be defined as such.
In addition, the job whose job scheduling date and time has passed in the job scheduling information registered in job scheduling holding unit 136 is in a state of an application history proposed in the past, and the application rejected application is in a state in which the application state is recorded as "rejected".
When a valid job application is registered in the job scheduling holding section 136, the application notifying section 131C refers to the execution condition information registered in the execution condition holding section 135 to determine whether the content of the applied job requires authorization. When the maintenance work is requested, the request notification unit 131C notifies the authorizer of the request number. The application notification unit 131C of the present embodiment transmits an electronic mail indicating an application number to the authorized terminal 44. Upon receiving the notification, the authorizer operates an input unit, not shown, of the authorization terminal 44, accesses the application management device 13 of the service information guard 10 based on the application number, and inputs whether to authorize or not.
The job authorization section 131D receives authorization from the authorization terminal 44. If authorized, the job authorization part 131D changes the authorization status in the job scheduling information registered by the job scheduling holding part 136 from "unauthorized" to "authorized". In the case of rejection, the job authorizing section 131D notifies the worker of the result of rejection of the application, and records the application state of the job scheduling information registered in the job scheduling holding section 136 as "rejected".
The application state determination unit 132 performs application determination. When a remote login request is received from an operator, it is determined whether or not a job has been applied, referring to the user identification information acquired from the login interface processing unit 111 and the job scheduling information registered in the job scheduling holding unit 136. The application state determination unit 132 also determines whether or not the reception date and time of the telnet request is within the application work time.
For example, when a job scheduled time of "10: 00 to 11: 00" is designated for application, even if a telnet request is made before 10:00 and after 11:00, the result of the application determination is "negative", and telnet is not permitted.
When both the user authentication and the application determination are affirmative determinations, the access interface processing section 133 allows a communication path for accessing the client environment 40 from the job terminal 20. Of course, when the maintenance work requiring authorization is requested, the access is not permitted without authorization.
The execution condition holding unit 135 holds the access rule for the maintenance work as execution condition information. The maintenance work is performed for various purposes such as coping with a failure, investigation, operation monitoring, and disconnection work. The maintenance work can be classified into a plurality of types (hereinafter, simply referred to as "work types") as described above. For example, disconnection of a module added to a business information system is sometimes desired to be permitted only outside business hours. In this case, the management administrator of the business information system sets the execution conditions so that the disconnection job can be executed only during hours other than business hours. The data structure of the execution condition holding section 135 is described later with reference to fig. 3.
The job scheduling holding unit 136 holds job scheduling information that satisfies the requirement as a valid job application, which is formally registered by the registration determination unit 131B of the application state management unit 131.
The upgrade processing unit 138 reads the job scheduling information from the job scheduling holding unit 136 at predetermined timing, and determines whether there is a user who should be upgraded or a user who should be downgraded.
The application management device 13 of the present embodiment is a single device and performs application determination in a unified manner. By executing application determination relating to a plurality of business information systems by a single application management device 13, execution conditions and job scheduling information can be easily managed.
Fig. 3 is a diagram showing an example of the data structure of the execution condition information in the execution condition holding unit 135.
The execution condition information is an access rule set by the management person in charge of each service information system. The rule ID column 135A indicates an ID (hereinafter referred to as "rule ID") for uniquely identifying an access rule. When an access rule is registered, a rule ID is assigned. The year, month, and day column 135B indicates the applicable date of the access rule. Time column 135C represents the applicable time of the access rule. For example, when the access rule of the rule ID "1" is applied, the business day of the enterprise a is a time period of "6: 00 to 16: 00". The operation type column 135D indicates the operation type of the maintenance operation to which the access rule is applied. The authorization required column 135E indicates whether authorization is required in order to execute the job.
In the example of fig. 3, for example, the maintenance work to which the access rule of the rule ID "1" is applied is a maintenance work for the purpose of "coping with trouble" of the work type "01" in "6: 00 to 16: 00" on "business day" and a maintenance work for the purpose of "investigation" of the work type "02", and authorization is not required for these maintenance works. That is, when performing maintenance work for the purpose of coping with a trouble by using "6: 00 to 16: 00" on business days as a work schedule date and time, the worker only has to make a work application indicating the subject of the work application in advance, and authorization is not required. The maintenance work to which the access rule of the rule ID "2" is applied is a maintenance work for the purpose of "operation monitoring" of the work type "03" in "business day" 6:00 to 16:00 "and a maintenance work for the purpose of" disconnection work "of the work type" 04 ", and these maintenance works require authorization. That is, when performing maintenance work for the purpose of "operation monitoring" or "disconnection work" on business days "6: 00 to 16: 00", not only is a work application required, but access is not possible unless authorized.
For example, suppose that worker A makes a remote access request at a date and time T of "6: 00 ~ 16: 00" on business days. At this time, the application determination results obtained based on the execution condition information shown in the example of fig. 3 are as follows.
1. If no application is made for a job including a date and time T as a job scheduled time, the determination is negative.
2. When a trouble-coping work including date and time T as a work scheduled time has been applied, the judgment is affirmative.
3. When an operation monitoring job including a date and time T as a job scheduled time is applied, the application state determination unit 132 refers to the job schedule holding unit 136, and if the applied operation monitoring job is authorized, it is determined affirmatively. A negative determination in the case of non-authorization or denial.
The registration determination unit 131B automatically rejects such an application when the same operator applies for a different job on the same date and time. Therefore, the operator cannot simultaneously apply both the trouble countermeasure work and the operation monitoring work for the date and time T.
The execution condition holding unit 135 may hold the execution condition information for each business information system, but in the present embodiment, the execution condition information is unified execution condition information, that is, common access rules are defined for the financial information system 41, the customer information system 42, and the inventory management system 43. In the case described in the present embodiment, a special authority is required when the "off job" of the job type "04" is executed, but a special authority is not required for the other jobs.
D: access right management device 14
The access right management device 14 includes an access right authentication unit 141 and an access right information holding unit 142. When the login interface processing unit 111 of the relay apparatus 11 receives the remote login request, the access right authentication unit 141 acquires the user ID, the password, and the information indicating the access destination (such as the IP address and the host name) from the login interface processing unit 111, and determines whether or not to allow the user of the transmission source to connect to the access destination (whether or not to have access right) based on the access application status registered in the access right information holding unit 142. The access right information holding unit 142 holds an access application state corresponding to the user ID and information indicating an access destination.
E: log management device 15
Log management section 151 manages an access log for accessing client environment 40 from job terminal 20. The log management section 151 includes a log recording section 151A and a job verification section 151B. The log recording unit 151A records the execution of the telnet request, the command or data transmitted and received between the job terminal 20 and the service information system, and the date and time of the execution as an access log. The log recording unit 151A associates the application number given by the registration determination unit 131B of the application state management unit 131 with the access log of the job application content corresponding to the application number at the time of recording. The log recording unit 151A also records a log of a rejection history such as an authentication failure, non-application, and no access right.
The job verifying unit 151B compares the content of the access log held in the log holding unit 152 with the job scheduling information registered in the job scheduling holding unit 136 corresponding to the application number to which the access log is bound, and checks whether or not the access is illegal.
For example, when a job application for the purpose of "operation monitoring" is made, and when a rewriting process of a file is executed, the job verification unit 151B refers to the access log held by the log holding unit 152, and detects such an unauthorized access. The job verification unit 151B notifies the authorization terminal 44 of the presence of an unauthorized access or an access suspected of being an unauthorized access. Alternatively, the access interface processing unit 133 may forcibly prohibit the remote access at a point in time when the unauthorized access is detected.
The log holding unit 152 binds and holds the application number given by the registration determination unit 131B of the application state management unit 131 and the access log of the job application content corresponding to the application number. The contents of the access log held by the log holding unit 152 will be described later with reference to fig. 4.
Fig. 4 is a diagram showing an example of the record content of the access log held by the log holding unit 152.
The log holding unit 152 includes a summary log recording area 152A and a full-text log recording area 152B, and holds both summary logs and full-text logs. The summary log includes the start and end times of access, the IP address and host name of the user terminal and the access destination server, the user ID, the connection time, and the like. The full-text log includes contents of actual execution, operation commands, and the like.
In the case of the example of fig. 4, main recorded content is held in the summary log recording area 152A and the full-text log recording area 152B in accordance with each protocol. For example, in the case of the "TELNET" protocol, the date and time of start of access, port (port), connection source IP address, user ID, connection destination IP address, and connection time are recorded in the summary log recording area 152A, and the received data is recorded in the full-text log recording area 152B.
The log holding unit 152 holds the log record content of the access log described above bound to the application number. In addition, the access log acquired through the WindowsRDP is recorded in the form of animation.
Fig. 5 is a diagram showing an example of display of the login screen.
When remote login to the relay apparatus 11 from the work terminal 20 is requested, a login screen 50 shown in fig. 5 is displayed on the work terminal 20. When the relay device 11 receives the remote login request, a login window 51 is displayed in the login screen 50 of the work terminal 20. That is, the login interface processing unit 111 of the relay apparatus 11 provides the user interface screen of the work terminal 20. The user of the work terminal 20 inputs a user ID and a password on the login window 51 displayed in the login screen 50. The user interface is the same as that provided by a conventional terminal server in terms of user side, but the input user identification information is supplied by the user authentication device 12, the application management device 13, and the access right management device 14, respectively, and used for user authentication, application determination, and access right authentication.
Fig. 6 is a diagram showing an example of display of an access application screen.
When the worker accesses the application management apparatus 13 from the work terminal 20 in order to apply for a job, an access application screen 60 shown in fig. 6 is displayed on the work terminal 20. That is, when an access is made from the job terminal 20, the job application section 131A of the application state management section 131 causes the access application screen 60 to be displayed as a Web page on the job terminal 20.
The user name of the application job is input in the applicant name area 61. When a job is performed by a person other than the applicant, the applicant inputs a predetermined user name for actually executing the job. The project name of the requested job is input to the project name area 62. The type of the service information system to be the target is selected from the system classification area 63. Here financial information system 64 is selected. The access interface processing unit 133 may perform control so as to prohibit the user from accessing a system other than the selected service information system at the application date and time.
The system name area 64 indicates the name of the business information system, and the job type area 65 indicates the job type. The content input area 66 is an area for freely describing the job content and the like. The attached area 67 is an area for attaching an electronic file such as a protocol to be used. The access scheduled date and time area 68 indicates a job scheduled date and time. The operator inputs data for each item shown in the application screen 60, and then clicks an application button (button) 69. In this way, the work terminal 20 transmits the input data to the application management apparatus 13 as the work application information.
When an access application is made, an electronic file in which a protocol to be actually used is described is added in addition to the applicant name, the project name, the system classification, the system name, the job type, the content, and the date and time of access reservation, whereby the job application information and the attached electronic file can be collectively managed.
Fig. 7 is a diagram showing an example of display of the access authorization screen.
When a job application requiring authorization is made, an access authorization screen 70 shown in fig. 7 is displayed on the authorization terminal 44. That is, when a job application requiring authorization is made, the registration determination unit 131B of the application state management unit 131 notifies the authorization terminal 44 of the application number. If the authorizer designates an application number and accesses the application management apparatus 13, the job authorizing section 131D causes the access authorization screen 70 to be displayed as a Web page on the authorization terminal 44.
The application information area 71 indicates access to the application contents input in the application screen 60. The authorizer name area 72 is an area for inputting an authorizer name. The authorization requester name area 73 is an area for inputting a user name for requesting authorization. For example, when the user B having the authorization authority entrusts the authorization to the user C, the user C performs the authorization judgment by proxy of the user B. This is a measure for coping with a special situation such as that of the user B on vacation.
The communication field 74 is a field in which information on the job applicant is described, and may be a field in which a reason for rejecting the application or a field in which an additional condition or comment is described on the job content when the application is authorized. The authorization button 75 is a button used for authorization, and the rejection button 76 is a button used for rejection. When any one of the authorization button 75 and the reject button 76 is clicked, the input contents and data indicating whether or not authorization is issued to the application management apparatus 13. The job authorization section 131D transmits the data to the job terminal 20 by e-mail, for example.
When a maintenance work requiring a special authority, such as "disconnection work", is requested, upgrade user information is updated based on whether authorization and execution condition information are granted. For example, assume that a time slot of "6: 00 to 16: 00" on business day is used as the scheduled operation time for applying for the disconnection operation. If authorized, the applicant upgrades, limited to the date and time of the application. For example, assume that the user a applies for the disconnection task with "10: 00 to 11: 00" on the business day "9/28/2006" as the scheduled task date and time. If the job is authorized, user A becomes an upgradeable user only during the period shown by the job's scheduled date and time. That is, when it reaches 2006, 9/28/10: 00, the upgrade processing unit 138 upgrades the user a and registers the upgraded user information in the legitimate user information holding unit 122. In addition, when 11:00 of 9 month and 28 days is reached or the disconnected job is ended, the user a is demoted and deleted from the upgrade user information. Thus, in the present embodiment, the special right is a right having a time limit.
The special right referred to herein may also be a so-called super (root) right or an administrator (administrator) right. That is, the upgradable user may be a user who can acquire the administrator authority by, for example, a so-called "su command" of UNIX (registered trademark) after logging in with his/her user ID.
In addition, whether or not special rights are given can be managed by using other access policies different from the application and authorization processes. For example, the operation of the operator B may be permitted under the following conditions: the disconnection job is requested by the worker B, the job is authorized by the authorizer C, and the other authorizer D permits giving a special authority to the worker B. By separating the manager of the important right, i.e., the "special right", from the job authorizer in this way, the information security of the service information guard 10 can be further enhanced.
The upgrade processing unit 138 may upgrade a predetermined user when a predetermined condition is satisfied, regardless of the job application. For example, if the user B is an expert in dealing with a disaster, the upgrade processing unit 138 may upgrade the user B for a predetermined time if it detects the occurrence of an earthquake. In such an emergency, the access rule may be an access rule that omits the job application procedure. That is, the user D may be set as the upgrade condition when the seismometer provided in the service information protector 10 measures a vibration equal to or greater than a predetermined value.
As another example, a computer virus may be detected at the business information system as an upgrade condition for a specified user. Alternatively, when the user C having a special authority makes an access beyond the scope of the job application, the user C can be downgraded. That is, the upgrade or downgrade process may be executed under the condition that a predetermined event has occurred in the service information guard 10 or the client environment 40 as an upgrade or downgrade condition. The manager may set the upgrade and downgrade conditions to the upgrade processing unit 138 from the outside. Therefore, even in the above emergency situation, it is possible to make an appropriate user quickly upgrade with a time limit.
Fig. 8 is a diagram showing an example of display of an access application/authorization level setting screen.
When the administrator presets the access authorization level of the job application information, the authorization terminal 44 displays an access application/authorization level setting screen 80 shown in fig. 8. The administrator can set whether or not the application or authorization is required in advance for each port by the server setting on the access application/authorization level setting screen 80.
The protocol, port number area 81 shows the port number of each protocol. The service activation area 82 is an area for setting whether or not to automatically activate a user interface or the like when accessed to provide a service. The full-text log acquisition area 83 is an area for setting whether to acquire a full-text log of the job content. The access authorization level area 84 is an area for setting an authorization level required for a prior application or authorization.
The access application/authorization level setting screen 80 can set not only the authorization level for each protocol and port number but also a summary log storage period, a full-text log storage period, an access application/screen operation log storage period, and a server state. This makes it possible to delete unnecessary access logs from the large number of access logs held by the log holding unit 152.
In the case of the example of fig. 8, port number 23 of the TELNET communication protocol is set to require prior application and authorization. On the other hand, port No. 223 of the TELNET communication protocol is set to a state in which application and authorization are not required at the time of access. In this way, "prior application and authorization" may be set in a port that is normally used, or only "prior application" may be set in the case where an authorizer is not present in an emergency.
Fig. 9 is a diagram showing an example of display of the access log search screen.
The access log search screen 90 shown in fig. 9 is displayed on the authorization terminal 44 when the authorizer performs an access check (log check). In order to confirm whether the permitted access content is performed as the job content requested in advance, the authorizer sets a search condition for the access log desired to be searched on the access log search screen 90. The search button 91 is a button for executing a search of the access log with the set search condition. When the search button 91 is clicked, data indicating the search condition is transmitted to the log management device 15. The log management unit 151 (the job verification unit 151B of) of the log management apparatus 15 extracts the access log registered by the log holding unit 152 and the job scheduling information registered by the job scheduling holding unit 136 of the application management apparatus 13 based on the data indicating the search condition.
Fig. 10 is a diagram showing an example of display of a search result screen.
When the search button 91 of the access log search screen 90 is clicked, a search result screen 100 shown in fig. 10 is displayed on the authorization terminal 44. That is, the application management apparatus 13 and the log management apparatus 15 search for an access log that satisfies the search condition set by the authorizer on the access log search screen 90, and the search result (the access log and the job scheduling information) is transmitted to the authorization terminal 44 and displayed as a summary list on the search result screen 100.
The file icon 101 is a button for downloading specific job content. When the file icon 101 is clicked, the specific contents of the execution command are acquired as a text file and displayed. In addition, the file command 102 is a button for downloading the application content. When the file icon 102 is clicked, the specific application content is acquired and displayed. That is, since the authorizer can easily compare the access log with the application content, the log check can be efficiently performed.
In addition, if a prohibition command or the like that is considered unnecessary according to the content of the application is registered as a keyword (keyword) in advance, the number of record lines and records containing the keyword can be extracted. For example, it is known that, when applying for a "general ID job" to an access category at the time of access application, if the access is a general ID, not only a command to acquire a privileged ID but also a command to add a user is not required. Therefore, for the "general ID job," SU- "(a command for acquiring a privileged ID) and" useadd "(a command for adding a user) which are prohibited or unnecessary are registered as keywords in advance. This makes it possible to extract an access log containing a prohibited command or the like which is considered unnecessary according to the content of the application and provide the access log to an authorizer, thereby making it possible to efficiently find unauthorized use.
Further, if the function of mail notification is used, it is possible to send an electronic mail to the administrator when an operation matching the keyword is performed. This enables efficient log checking by performing access checking alone.
Here, although the search result is displayed so that the access log and the application content can be compared, the job verification unit 151B of the log management unit 151 may compare the job scheduling information registered by the job scheduling holding unit 136 of the application management apparatus 13 with the access log registered by the log holding unit 152 based on the data indicating the search condition, and detect an access which is not matched with the access for the maintenance job applied to the job scheduling information as an illegal access among the accesses indicated in the log information.
[ processing of work application ]
Here, the work application process performed by the operator of the work terminal 20 will be described. The operator first inputs a user ID and a password on a login screen 50 shown in fig. 5 displayed on the work terminal 20. The work terminal 20 directly accesses the application management apparatus 13 without passing through the relay apparatus 11, along with the input user identification information. The application management apparatus 13 transmits the user identification information to the user authentication apparatus 12. The user authentication unit 121 of the user authentication device 12 performs user authentication with reference to the legitimate user information stored in the legitimate user information storage unit 122, and when authentication fails, the following processing is not performed.
If the authentication is successful, the user authentication device 12 notifies the application management device 13 of the result of the successful authentication. The job application unit 131A of the application management device 13 transmits the application screen data to the job terminal 20. The work terminal 20 displays an access application screen 60 shown in fig. 6. The user inputs data on the access application screen 60, and the input data is transmitted to the application management apparatus 13 as job application information.
The registration determination unit 131B of the application management apparatus 13 compares the content of the applied job with the execution condition information of the execution condition holding unit 135, and determines whether registration is possible. If the job application is not valid, the registration determination unit 131B rejects the application, notifies the job terminal 20 of the rejection result, and does not execute the following processing. On the other hand, when determining that the work application is valid, the registration determination unit 131B registers the requested maintenance work in the work schedule information of the work schedule holding unit 136. If the job requires authorization, the application notification unit 131C transmits an e-mail requesting authorization to the authorization terminal 44.
Through the above processing, only job application information satisfying the requirement as a valid job application among the job application information is formally registered as "job scheduling information" in the job scheduling holding portion 136.
[ processing for authorizing work ]
Next, authorization processing of the job content requested by the job application processing will be described. The authorization terminal 44 accesses the application management apparatus 13 after receiving the e-mail for which the application has been proposed. The authorizer enters the user ID and password on the login screen 50 shown in fig. 5 at any time. In addition, the authorizer also specifies an application number when entering the user ID and password. The authorization terminal 44 transmits the user ID and the password of the inputted authorizer to the user authentication apparatus 12. The user authentication unit 121 of the user authentication device 12 acquires the user ID and the password from the authorization terminal 44, and performs user authentication of the authorizer with reference to the authorized user information registered in the authorized user information holding unit 122. If the user authentication fails, the following process is not executed.
When the authentication is successful, the job authorization unit 131D of the application management apparatus 13 searches for the job application information registered in the job scheduling holding unit 136 based on the application number acquired from the authorization terminal 44. The job authorization unit 131D of the application management device 13 transmits HTML (HyperText markup language) data for accessing the authorization screen 70 to the authorization terminal 44 based on the retrieved job application information. The authorization terminal 44 displays an access authorization screen 70 (fig. 7) related to the job specified by the application number. When the authorizer confirms the access authorization screen 70 and clicks the authorization button 75 or the reject button 76, the inputted data is transmitted to the application management apparatus 13. The job authorizing section 131D of the application management apparatus 13 updates the job scheduling information of the job scheduling holding section 136 according to whether or not authorization is available. The job authorization section 131D notifies whether the job terminal 20 is authorized.
The job of the valid application is authorized by the above processing. Further, when the authorizer accesses the application management apparatus 13, the application management apparatus 13 may display job applications to be authorized in a list, and the authorizer may be a user interface from which a job application to be an authorization target is selected. In addition, a plurality of job applications may be collectively authorized or denied.
[ concerning telnet processing ]
The telnet process for the business information system is explained next. The operator first accesses relay device 11 from work terminal 20. The relay device 11 checks the IP address of the accessing work terminal 20, determines whether or not to permit connection, and disconnects the connection when determining that the connection is not permitted. On the other hand, when connection of the work terminal 20 is permitted, the relay device 11 requests the work terminal 20 for user identification information (user ID and password) in a form suitable for the protocol. The work terminal 20 displays a login screen 50 (fig. 5), and receives a user ID and a password input by the operator. The work terminal 20 transmits the input user ID and password to the relay device 11.
The relay device 11 supplies the user ID and the password received from the work terminal 20 to the user authentication device 12, the application management device 13, and the access right management device 14. The user authentication unit 121 of the user authentication device 12 acquires the user ID and the password from the relay device 11, and performs user authentication of the operator by referring to the legitimate user information registered in the legitimate user information holding unit 12. The following processing is not performed in the case where the user authentication fails.
When the authentication is successful, relay device 11 requests work terminal 20 to input an access destination. Work terminal 20 receives an access destination input by the operator, and transmits information (such as an IP address and a host name) indicating the access destination to relay device 11. The relay device 11 transmits the information indicating the access destination received from the work terminal 20 to the access right management device 14. The access right authentication unit 141 of the access right management device 14 refers to the access application status registered in the access right information holding unit 142 based on the information indicating the access destination, and confirms the access right of the user to the access destination. When the access right authentication unit 141 determines that the access is not appropriate, the user is denied access to the access destination. On the other hand, when it is determined that the access is appropriate, the user is permitted to access the access destination. When all the determinations are affirmative, the operator can access the service information system to be subjected to the maintenance work.
Through the above processing, when the service information system is remotely logged in, if the service information system is judged to be illegally accessed, the login is failed, and the access can be prohibited.
[ determination processing on promotion/degradation ]
Next, the user upgrading and downgrading process performed by the upgrade processing unit 138 will be described. The upgrade processing unit 138 of the application management device 13 reads the job scheduling information from the job scheduling holding unit 136, and determines whether or not there is a user to be upgraded. For example, the user A requests the disconnection job with "10: 00 to 11: 00" on the business day "2006, 9, and 28" as the job reservation date and time, and is authorized. At this time, if 10:00 of 9, 28/2006 is reached, the upgrade processing unit 138 upgrades the user a. The upgrade processing section 138 transmits the user identification information of the upgradable user to the user authentication apparatus 12, and registers the user a in the upgrade user information of the legitimate user information holding section 122.
In addition, the upgrade processing portion 138 determines whether or not there is a user who should be downgraded in the job scheduling information. In the case of the above example, if 11:00 of 9, 28, 2006 is reached, user A is demoted. The upgrade processing unit 138 transmits the user identification information of the user to be downgraded to the user authentication apparatus 12, and deletes the user a from the upgrade user information in the legitimate user information holding unit 122.
The application management device 13 can periodically update the upgrade user information by repeatedly executing the above-described processing every predetermined time (for example, every 1 minute).
As described above, the information security of the service information system can be further improved by using the special authority with the time restriction. The user may request the special authority by himself or herself after the remote login, but what condition the upgrade is permitted, and the upgrade processing unit 138 may determine this based on a predetermined upgrade condition.
Further, the details of the job application process, the job authorization process, the log-in process to the business information system, the upgrade process, and the downgrade determination process are well known as described in japanese patent application laid-open No. 2008-117361 and the like.
[ concerning access check processing ]
Next, the access check process will be described with reference to the flowchart of fig. 11. The authorizer instructs execution of an access check (log check) using an input unit (not shown) of the authorizing terminal 44 in order to confirm whether the content permitted to be accessed is performed according to the previously requested job content.
In step S1, the authorization terminal 44 displays the access log retrieval screen 90 shown in fig. 9 based on an instruction from the authorizer. The authorizer sets a search condition for an access log desired to be searched on the access log search screen 90. In step S2, the authorization terminal 44 receives an input of a search condition for the access log set by the authorizer. When the search button 91 is clicked, the authorization terminal 44 transmits search condition data of the access log that has received the input to the log management device 15 in step S3.
In step S4, when the job verification unit 151B of the log management apparatus 15 receives the search condition data from the authorization terminal 44, it reads the job scheduling information corresponding to the application number included in the search condition data from the job scheduling storage unit 136 of the application management apparatus 13, reads the access log bound to the application number from the log storage unit 152, checks them, and checks whether or not the access is an unauthorized access. For example, as described above, when a job application for the purpose of "operation monitoring" is made, if a rewriting process of a file is performed, an unauthorized access is made. In step S5, the job authentication section 151B reads the access log that meets the search condition from the log holding section 152, and notifies this to the authorization terminal 44 as an access check result.
In step S6, the authorization terminal 44 displays the search result screen 100 shown in fig. 10 based on the access check result received from the log management device 15. In addition, when an inhibition command which is considered unnecessary according to the application content is registered in advance as a key and an access log matching the key is retrieved, the administrator can be notified of the number of records and records matching the key retrieved by mail.
[ Effect of the embodiment of the invention ]
As described above, in the present embodiment, since application determination is performed in addition to user authentication, it is easy to prevent unauthorized access. When only user authentication is performed, leakage of user identification information is likely to directly relate to information leakage from a service information system. However, since the service information guard 10 also requires a job application procedure, leakage of user identification information is not easily directly related to unauthorized access. This is because even if an unauthorized user temporarily obtains user identification information illegally, psychological suppression is easily applied to the service information system access to the extent that a fraudulent job application is to be made.
In addition, an architecture is implemented that restricts access to the client environment 40 even for legitimate administrative companies' SEs. As described above, since the application or authorization of the job is recorded as a log, it is easy to perform a subsequent access check. Therefore, the method has the advantage of easily proving the compliance of the system and the specification of the client enterprise. With such a feature, the service information guard 10 can contribute to "enhancement of internal unified management" required by the SOX act.
When the content of the requested operation is not suitable for the execution condition information, the registration determination unit 131B may notify the authorization terminal 44 that the requested application is suspected, or may temporarily invalidate the user identification information. By causing the registration determination unit 131B to perform such a job application check, it is possible to automatically reject an illegal job application. Further, since the maintenance work requiring not only the application but also the authorization can be defined, the information security can be further improved.
When performing maintenance work requiring special authorities, it is also possible to make it possible to uniformly manage when and to what kind of users special authorities are granted by setting time restrictions on special authorities.
Generally, for maintenance work, an execution schedule is predetermined. In the present embodiment, by performing a prior work application and authorization at an arbitrary timing, it is possible to realize security management of the business information system without imposing an excessive psychological burden on the operator and the authorizer.
The service information guard 10 can also log access. In addition, the log management section 151 can check whether or not the content of the job application and the actual job content do not match. Therefore, even after the access is permitted, it is possible to easily check whether or not an illegal access has occurred afterward.
In this way, the service information guard device 10 guards the service information system from the following aspects.
1. User authentication
2. Determination of adaptability of execution condition and requested job content
3. Application determination at telnet request
4. Comparison of telnet request date and time with requested job reservation date and time
5. Special rights related decisions
6. Illegal access detection based on access log
In addition, the business information guard 10 can collectively manage access to a plurality of business information systems. Thus, a uniform access policy is easily applied to a plurality of service information systems. And, it also has the advantage that it can be realized by only adding the service information protection device 10 to the service information system which is already operated.
The above description has been given by taking "maintenance work" as an example, but the present invention is not limited to this, and can be applied to a case where, for example, an employee visits from an outside location.
The series of processes may be executed by hardware or software. When a series of processes is executed by software, a program constituting the software may be installed from a program recording medium into a computer incorporated into dedicated hardware or a general-purpose personal computer or the like capable of executing various functions by installing various programs.
The present invention is not limited to the embodiments described above, and various inventions can be formed by modifying and embodying technical features in the implementation stage, or by appropriately combining a plurality of technical features disclosed in the implementation embodiments, without departing from the gist thereof. For example, several constituent elements may be deleted from all the constituent elements shown in the embodiments. Further, the constituent elements in the different embodiments may be appropriately combined.

Claims (5)

1. A service information protection device is characterized in that the device is provided with
A legitimate user information holding means that holds legitimate user information in which legitimate users that can execute system-specified processing are registered;
an application receiving means that receives application information for applying for specifying an access subscriber and executing the prescribed processing;
a reservation holding device that holds reservation information that associates the prescribed processing that is applied with the person who subscribes to access;
an execution request receiving device that receives user identification information for specifying a visitor from a terminal when the predetermined process is executed;
a user authentication device that determines whether or not the visitor is registered as a valid user, with reference to the valid user information;
an application state determination device that determines whether or not a predetermined process in which the visitor is a person scheduled for visiting has been applied, with reference to the schedule information; and
an access control device that permits access from the terminal to the system to perform a predetermined process, on condition that both the determination by the user authentication device and the determination by the application state determination device are affirmative determinations,
the legitimate user information holding means also holds upgraded user information indicating a user who can obtain a special right different from the usual user right,
the application state determination device also determines whether or not the visitor is a user who can obtain the special authority when the special authority is designated as an execution condition for the prescribed process being applied.
2. The apparatus for protecting service information according to claim 1, further comprising:
an application notification device that notifies an authorizer who stipulates a processing application of the requested processing content; and
an authorization obtainment unit that accepts an authorization input from the authorizer,
the reservation holding means also holds the prescribed process applied and the authorization state thereof as the reservation information correspondingly,
the application state determination means also determines whether the prescribed process being applied is authorized.
3. Traffic information guard according to claim 1 or 2,
the application state determination device also determines whether or not the execution date and time of the predetermined process is within the period of application.
4. The apparatus according to claim 1 or 2, further comprising:
an execution condition holding means that holds execution condition information defining an execution condition of a prescribed process; and
and an application registration determination device that registers the applied predetermined process in the predetermined information on the condition that the applied process content matches the execution condition information.
5. The apparatus for protecting service information according to claim 1, further comprising:
an upgrade condition setting device which accepts input of setting of an upgrade condition indicating a condition for which a special authority is available; and
and an upgrade registration means for registering a user to be an upgrade condition object in the upgrade user information when the upgrade condition is established.
CN201610822526.7A 2011-03-25 2011-03-25 Service information protection device Active CN107103216B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610822526.7A CN107103216B (en) 2011-03-25 2011-03-25 Service information protection device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610822526.7A CN107103216B (en) 2011-03-25 2011-03-25 Service information protection device
CN201110081078.7A CN102693373B (en) 2011-03-25 2011-03-25 Business information preventer

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN201110081078.7A Division CN102693373B (en) 2011-03-25 2011-03-25 Business information preventer

Publications (2)

Publication Number Publication Date
CN107103216A CN107103216A (en) 2017-08-29
CN107103216B true CN107103216B (en) 2020-08-25

Family

ID=46858801

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201610822526.7A Active CN107103216B (en) 2011-03-25 2011-03-25 Service information protection device
CN201110081078.7A Active CN102693373B (en) 2011-03-25 2011-03-25 Business information preventer

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN201110081078.7A Active CN102693373B (en) 2011-03-25 2011-03-25 Business information preventer

Country Status (1)

Country Link
CN (2) CN107103216B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107103216B (en) * 2011-03-25 2020-08-25 株式会社野村综合研究所 Service information protection device
CN105592027B (en) * 2014-11-18 2019-10-22 慧盾信息安全科技(苏州)股份有限公司 A kind of security protection system and method for preventing dragging library for DNS
CN106778345B (en) * 2016-12-19 2019-10-15 网易(杭州)网络有限公司 The treating method and apparatus of data based on operating right
JP6691085B2 (en) * 2017-09-20 2020-04-28 ファナック株式会社 Application security management system and edge server
CN112602085A (en) * 2018-09-03 2021-04-02 株式会社日立高新技术 Display device, information terminal, method for protecting personal information, program, and recording medium containing the program
CN110503334A (en) * 2019-08-23 2019-11-26 行吟信息科技(上海)有限公司 A kind of state machine control method and system
JP7362372B2 (en) * 2019-09-05 2023-10-17 日立チャネルソリューションズ株式会社 Remote maintenance system and remote maintenance method for banknote processing system

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1630252A (en) * 2003-12-16 2005-06-22 华为技术有限公司 Broadband IP access equipment and method for realizing user log in same equipment
CN1959695A (en) * 2005-11-04 2007-05-09 佳能株式会社 Printing management system and printing management method
CN101170409A (en) * 2006-10-24 2008-04-30 华为技术有限公司 Method, system, service device and certification server for realizing device access control
US7568107B1 (en) * 2003-08-20 2009-07-28 Extreme Networks, Inc. Method and system for auto discovery of authenticator for network login
CN101599977A (en) * 2009-07-17 2009-12-09 杭州华三通信技术有限公司 The management method of Network and system
US7987357B2 (en) * 2007-11-28 2011-07-26 Red Hat, Inc. Disabling remote logins without passwords
CN102693373B (en) * 2011-03-25 2016-11-16 株式会社野村综合研究所 Business information preventer

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6151664A (en) * 1999-06-09 2000-11-21 International Business Machines Corporation Programmable SRAM and DRAM cache interface with preset access priorities
JP4434551B2 (en) * 2001-09-27 2010-03-17 株式会社東芝 Server computer protection device, server computer protection method, server computer protection program, and server computer
JP4007873B2 (en) * 2002-07-09 2007-11-14 富士通株式会社 Data protection program and data protection method
JP2005189969A (en) * 2003-12-24 2005-07-14 Kureo:Kk Data backup program, data backup method, portable terminal and data backup device
CN1564255A (en) * 2004-03-24 2005-01-12 华中科技大学 Digital memory media protecting method based on online controlled access tech, and its system
EP1983497A1 (en) * 2006-02-06 2008-10-22 Matsushita Electric Industrial Co., Ltd. Secure processing device, method and program

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7568107B1 (en) * 2003-08-20 2009-07-28 Extreme Networks, Inc. Method and system for auto discovery of authenticator for network login
CN1630252A (en) * 2003-12-16 2005-06-22 华为技术有限公司 Broadband IP access equipment and method for realizing user log in same equipment
CN1959695A (en) * 2005-11-04 2007-05-09 佳能株式会社 Printing management system and printing management method
CN101170409A (en) * 2006-10-24 2008-04-30 华为技术有限公司 Method, system, service device and certification server for realizing device access control
US7987357B2 (en) * 2007-11-28 2011-07-26 Red Hat, Inc. Disabling remote logins without passwords
CN101599977A (en) * 2009-07-17 2009-12-09 杭州华三通信技术有限公司 The management method of Network and system
CN102693373B (en) * 2011-03-25 2016-11-16 株式会社野村综合研究所 Business information preventer

Also Published As

Publication number Publication date
CN107103216A (en) 2017-08-29
CN102693373B (en) 2016-11-16
CN102693373A (en) 2012-09-26

Similar Documents

Publication Publication Date Title
JP5789390B2 (en) Business information protection device, business information protection method, and program
CN107103216B (en) Service information protection device
US9712536B2 (en) Access control device, access control method, and program
US7822851B2 (en) Remote user computer control and monitoring
US10325095B2 (en) Correlating a task with a command to perform a change ticket in an it system
US20080086473A1 (en) Computerized management of grouping access rights
US10027679B2 (en) Secondary asynchronous background authorization (SABA)
US20120311696A1 (en) Override for Policy Enforcement System
JP2008117316A (en) Business information protection device
JP5952466B2 (en) Business information protection device, business information protection method, and program
US9432357B2 (en) Computer network security management system and method
JP2008117317A (en) Business information protection device
US7072969B2 (en) Information processing system
CN113194088B (en) Access interception method, device, log server and computer readable storage medium
JP2006079228A (en) Access management device
JP2018152091A (en) Business information protection device, business information protection method, and program
JP2016173851A (en) Business information protection device, business information protection method, and program
JP2020095750A (en) Business information protection device, business information protection method, and program
Shivakumar et al. Digital Workplace Security Framework
Shimoe et al. Security Solutions Provided by Fujitsu’s Middleware Products
CN117714204A (en) Domain environment protection method, device, equipment and storage medium
CN116980167A (en) Zero-trust access control policy processing method, device, medium and program product
Cook et al. Security Guide for IBM i V6. 1
Landon et al. IBM System i Security Guide
Ke et al. An Enterprise Computing System Based on Software-Enrollment Strategy

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant