JP2009015585A - Management device, network system, program, and management method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To check whether or not an object to be managed conforms to a security policy by applying a correct security policy even when the security policy to be applied to the object changes. <P>SOLUTION: A policy storage part 121 (security policy storage part) stores security condition information. The security condition information describes conditions to be satisfied by a management object. An extraction condition storage part 133 stores management object extraction condition information. The management object extraction condition information describes conditions for extracting a management object to satisfy the conditions. An attribute storage part 141 stores management object attribute information. The management object attribute information describes the attributes of the management object. A management object extraction part 113 extracts the management object which satisfies the conditions described by the management object extraction condition information on the basis of the management object attribute information. A policy violation extraction part 115 checks whether or not the conditions described by the security condition information are satisfied by the management object extracted by the management object extraction part 113. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a management apparatus that manages a management target so as to satisfy a security policy.

In order to prevent information leakage, it is necessary to correctly set the security of devices such as computers. In particular, if any one of a plurality of devices connected via a network does not have the correct security settings, there is a risk of information leaking from there.
For this reason, a security policy that sets the standard for security settings is established, and if a device to be managed is in compliance with the security policy or if it violates the security policy, the specified program is automatically There is a management device that executes to change or prompt security settings.
By including identification information for specifying a device in the information describing the security policy, a different security policy can be applied to each device.
Japanese Patent Laid-Open No. 2002-247033 JP 2004-282626 A JP 2006-184936 A

The security policy to be applied to a device may change depending on conditions such as the location of the device on the network and the administrator or management department of the device.
The present invention has been made to solve the above-described problems, for example, and is a case where a security policy to be applied to a management object has changed due to organizational reform, personnel change, network configuration change, etc. Also, it is possible to determine the security policy that should be correctly applied to the management target, check whether the management target conforms to the security policy, and take measures if the management target violates the security policy. For the purpose.

The management device according to the present invention is:
In a management device that has a storage device that stores information and a processing device that processes information, and manages the management target so as to satisfy the security policy.
A security policy storage unit, an attribute storage unit, an extraction condition storage unit, an execution action storage unit, a management target extraction unit, a state acquisition unit, a policy violation extraction unit, and an action execution unit;
The security policy storage unit uses the storage device to store security condition information describing conditions that the management target should satisfy,
The attribute storage unit uses the storage device to store management target attribute information describing the management target attribute,
The extraction condition storage unit stores management target extraction condition information that describes a condition for extracting a management target that should satisfy the conditions described in the security condition information, using the storage device,
The execution action storage unit stores, using the storage device, execution action information describing an action to be executed when the management target does not satisfy the condition described in the security condition information,
The management target extraction unit uses the processing device to manage the conditions described in the management target extraction condition information stored in the extraction condition storage unit based on the management target attribute information stored in the attribute storage unit Extract the target,
The status acquisition unit acquires the status of the management target for the management target extracted by the management target extraction unit using the processing device,
The policy violation extraction unit extracts a management target that does not satisfy the condition described in the security condition information stored in the security policy storage unit based on the state acquired by the state acquisition unit using the processing device. And
The action execution unit executes the action described in the execution action information stored in the execution action storage unit for the management target extracted by the policy violation extraction unit using the processing device.

  According to the management device of the present invention, the management target extraction unit satisfies the condition described by the management target extraction condition information stored in the extraction condition storage unit based on the management target attribute information stored in the attribute storage unit. The policy violation extraction unit determines whether the management target extracted by the management target extraction unit satisfies the condition described by the security condition information stored in the security policy storage unit. Even if the security policy that should be applied to the management target has changed due to a change or change in the network configuration, etc., the security policy that should be correctly applied to the management target is determined, and whether the management target conforms to the security policy is checked. The effect of being able to take measures when the management target violates the security policy Unlikely to.

Embodiment 1 FIG.
The first embodiment will be described with reference to FIGS.

  FIG. 1 is a system configuration diagram showing an example of the overall configuration of a network system 800 in this embodiment.

The network system 800 includes a security operation management system 100, client devices 200a to 200c, and a network 300.
The network 300 is, for example, a LAN (Local Area Network) or the like, and connects between the security operation management system 10 and the client devices 200a to 200c or between the client devices 200a to 200c so that they can communicate with each other.
The client devices 200a to 200c are information terminal devices connected to the network 300, such as personal computers and server devices.

The security operation management system 100 manages whether the client devices 200a to 200c are operated in accordance with a predetermined security policy with the client devices 200a to 200c as management targets.
The security operation management system 100 includes a policy database storage unit 120, a target group database storage unit 130, a target information database storage unit 140, and the like.
The policy database storage unit 120 manages policies. The policy database storage unit 120 stores, as a database, information such as a security policy to be applied to the client devices 200a to 200c that are the management targets of the security operation management system 100, and a countermeasure method when there is a policy violation.
The target group database storage unit 130 manages security check target group information. The target group database storage unit 130 stores, as a database, information for grouping targets to which the same security policy is applied among the client devices 200a to 200c that are management targets of the security operation management system 100.
The target information database storage unit 140 manages information related to each of the client devices 200a to 200c that is actually a security check target. The target information database storage unit 140 stores information about the management target such as the attributes of the client devices 200a to 200c that are the management target of the security operation management system 100 as a database.

FIG. 2 is a diagram showing an example of the external appearance of the security operation management system 100 and the client devices 200a to 200c in this embodiment.
The security operation management system 100 and the client devices 200a to 200c include a system unit 910, a display device 901 having a CRT (Cathode / Ray / Tube) or LCD (liquid crystal) display screen, and a keyboard 902 (Key / Board: K / B). And hardware resources such as a mouse 903, an FDD 904 (Flexible / Disk / Drive), a compact disk device 905 (CDD), a printer device 906, and a scanner device 907, which are connected by cables and signal lines.
The system unit 910 is a computer, and is connected to the facsimile machine 932 and the telephone 931 with a cable, and is connected to the Internet 940 via a local area network 942 (LAN) and a gateway 941.

FIG. 3 is a diagram illustrating an example of hardware resources of the security operation management system 100 and the client devices 200a to 200c in this embodiment.
In FIG. 3, the security operation management system 100 and the client devices 200 a to 200 c include a CPU 911 (also referred to as a central processing unit, a central processing unit, a processing unit, a processing unit, a microprocessor, a microcomputer, or a processor) that executes a program. I have. The CPU 911 is connected to a ROM 913, a RAM 914, a communication device 915, a display device 901, a keyboard 902, a mouse 903, an FDD 904, a CDD 905, a printer device 906, a scanner device 907, and a magnetic disk device 920 via a bus 912, and the hardware thereof. Control the device. Instead of the magnetic disk device 920, a storage device such as an optical disk device or a memory card read / write device may be used.
The RAM 914 is an example of a volatile memory. The storage media of the ROM 913, the FDD 904, the CDD 905, and the magnetic disk device 920 are an example of a nonvolatile memory. These are examples of a storage device or a storage unit.
A communication device 915, a keyboard 902, a scanner device 907, an FDD 904, and the like are examples of an input unit and an input device.
Further, the communication device 915, the display device 901, the printer device 906, and the like are examples of an output unit and an output device.

The communication device 915 is connected to a facsimile machine 932, a telephone 931, a LAN 942, and the like. The communication device 915 is not limited to the LAN 942, and may be connected to the Internet 940, a WAN (wide area network) such as ISDN, or the like. When connected to a WAN such as the Internet 940 or ISDN, the gateway 941 is unnecessary.
The magnetic disk device 920 stores an operating system 921 (OS), a window system 922, a program group 923, and a file group 924. The programs in the program group 923 are executed by the CPU 911, the operating system 921, and the window system 922.

The program group 923 stores programs that execute functions described as “˜units” in the description of the embodiments described below. The program is read and executed by the CPU 911.
The file group 924 includes information, data, signal values, variable values, and parameters that are described as “determination results of”, “calculation results of”, and “processing results of” in the description of the embodiments described below. Are stored as items of “˜file” and “˜database”. The “˜file” and “˜database” are stored in a recording medium such as a disk or a memory. Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit, and extracted, searched, referenced, compared, Used for CPU operations such as calculation, calculation, processing, output, printing, and display. Information, data, signal values, variable values, and parameters are temporarily stored in the main memory, cache memory, and buffer memory during the CPU operations of extraction, search, reference, comparison, operation, calculation, processing, output, printing, and display. Is remembered.
In addition, the arrows in the flowcharts described in the following description of the embodiments mainly indicate input / output of data and signals. The data and signal values are the RAM 914 memory, the FDD 904 flexible disk, the CDD 905 compact disk, and the magnetic field. Recording is performed on a recording medium such as a magnetic disk of the disk device 920, other optical disks, mini disks, and DVDs (Digital Versatile Disc). Data and signals are transmitted online via a bus 912, signal lines, cables, or other transmission media.

  In the description of the embodiments described below, what is described as “to part” may be “to circuit”, “to device”, and “to device”, and “to step” and “to”. “Procedure” and “˜Process” may be used. That is, what is described as “˜unit” may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented only by software, only hardware such as elements, devices, substrates, wirings, etc., or a combination of software and hardware, and further a combination of firmware. Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD. The program is read by the CPU 911 and executed by the CPU 911. That is, the program causes the computer to function as “to part” described below. Alternatively, the procedure or method of “to part” described below is executed by a computer.

  FIG. 4 is an internal block diagram showing an example of the functional block configuration of the security operation management system 100 in this embodiment.

  The security operation management system 100 includes a security check unit 110, a policy database storage unit 120, a target group database storage unit 130, and a target information database storage unit 140.

The policy database storage unit 120 performs policy data management. The policy database storage unit 120 includes a policy storage unit 121 and an execution action storage unit 122.
The policy storage unit 121 stores policy information using a storage device such as the magnetic disk device 920. The policy information is information describing a security policy to be applied to the client devices 200a to 200c to be managed.
The execution action storage unit 122 stores action information using a storage device such as the magnetic disk device 920. The action information is information describing an action to be executed in order to make the client devices 200a to 200c comply with the security policy when the client devices 200a to 200c to be managed are in violation of the applied security policy. Actions include, for example, execution of a program for forcibly changing settings, transmission of a notification mail to a target administrator, and the like.

The target group database storage unit 130 manages security check target grouping information. The target group database storage unit 130 includes a condition correspondence storage unit 132 and an extraction condition storage unit 133.
The extraction condition storage unit 133 stores extraction condition information using a storage device such as the magnetic disk device 920. The extraction condition information is information describing conditions for extracting a target to which the security policy is to be applied.
The condition correspondence storage unit 132 stores the condition correspondence information using a storage device such as the magnetic disk device 920. The condition correspondence information is information describing the correspondence between the policy information stored in the policy storage unit 121 and the extraction condition information stored in the extraction condition storage unit 133. That is, the condition correspondence information is information that associates the security policy described in the policy information with the condition for extracting the target to which the security policy described in the extraction condition information is to be applied.

The target information database storage unit 140 manages basic information for selecting a target when the security check unit 110 actually performs a security check. The target information database storage unit 140 includes an attribute storage unit 141.
The attribute storage unit 141 stores the management target attribute information using a storage device such as the magnetic disk device 920. The management target attribute information is information describing attributes of the client devices 200a to 200c that are management targets. The attribute is data such as an asset number, an IP (Internet Protocol) address, an installation location, an administrator name, and the like. These data will not change unless there is a change in network configuration, personnel changes, organizational changes, etc. The attribute storage unit 141 statically manages the management target attribute information. When the attribute is changed, the manager or the like operates the input device such as the keyboard 902 to input an instruction to change the management target attribute information, and the attribute storage unit 141 performs the management target according to the input instruction. Add, change, and delete attribute information. The security operation management system 100 and the client devices 200a to 200c themselves automatically detect the IP address to detect the change of the attribute and automatically update the management target attribute information stored in the attribute storage unit 141. You may comprise.

  The security check unit 110 performs a security check of the client devices 200a to 200c based on the policy. The security check unit 110 includes a policy acquisition unit 111, an extraction condition acquisition unit 112, a management target extraction unit 113, a state acquisition unit 114, a policy violation extraction unit 115, an action acquisition unit 116, and an action execution unit 117.

The policy acquisition unit 111 acquires the policy information stored in the policy storage unit 121 using a processing device such as the CPU 911.
The extraction condition acquisition unit 112 acquires extraction condition information corresponding to the policy information acquired by the policy acquisition unit 111 from the extraction condition information stored in the extraction condition storage unit 133 using a processing device such as the CPU 911.
The management target extraction unit 113 uses a processing device such as the CPU 911 to select a management target that satisfies the conditions described in the extraction condition information acquired by the extraction condition acquisition unit 112 based on the attribute information stored in the attribute storage unit 141. Extract.

The status acquisition unit 114 acquires the status of the management target for the management target extracted by the management target extraction unit 113 using a processing device such as the CPU 911.
The management target status includes, for example, the operating OS, anti-virus software and virus pattern file versions, installed software, the length of the login password, the last change date, and the firewall settings. These include items that are likely to change in a short period of time and directly related to security.

  The policy violation extraction unit 115 does not satisfy the security policy described in the policy information acquired by the policy acquisition unit 111 based on the state of the management target acquired by the state acquisition unit 114 using a processing device such as the CPU 911. Extract management targets.

The action acquisition unit 116 acquires action information corresponding to the policy information acquired by the policy acquisition unit 111 from the action information stored by the execution action storage unit 122 using a processing device such as the CPU 911.
The action execution unit 117 executes the action described in the action information acquired by the action acquisition unit 116 for the management target extracted by the policy violation extraction unit 115 using a processing device such as the CPU 911.

  FIG. 5 is a diagram showing an example of information stored in the security operation management system 100 according to this embodiment.

The extraction condition information 510 (target group table) is information stored in the extraction condition storage unit 133. The extraction condition information 510 indicates a condition for searching the target information database storage unit 140 for information on a management target that is a target at the time of an actual security check. The extraction condition information 510 includes a group ID 511, a group name 512, and an extraction condition 513.
The group ID 511 (target group ID) is identification data that uniquely identifies a group.
The group name 512 (target group name) is data describing the name of the group.
The extraction condition 513 is data describing conditions for extracting management targets belonging to a group.
The extraction condition storage unit 133 normally stores a plurality of extraction condition information 510. For example, the extraction condition storage unit 133 manages the extraction condition information 510 as a database record, and stores a table (target group table) including a plurality of extraction condition information 510.

The condition correspondence information 520 (policy target group mapping table) is information stored in the condition correspondence storage unit 132. The condition correspondence information 520 maps a policy and a group. The condition correspondence information 520 includes a correspondence ID 521, a policy ID 522, and a group ID 523.
The correspondence ID 521 is identification data that uniquely identifies the condition correspondence information 520, and may not be present.
The policy ID 522 is data indicating the policy definition information 530 associated with the extraction condition information 510 by the condition correspondence information 520. The policy ID 522 is equal to the policy ID 531 of the policy definition information 530 associated with the extraction condition information 510 by the condition correspondence information 520.
The group ID 523 is data indicating the extraction condition information 510 that is associated with the policy definition information 530 by the condition correspondence information 520. The group ID 523 is equal to the group ID 511 of the extraction condition information 510 that is associated with the policy definition information 530 by the condition correspondence information 520.

The policy definition information 530 and the setting policy information 540 are policy information (security condition information) stored in the policy storage unit 121.
The policy definition information 530 (policy table) is information that defines a policy (security policy group) to be applied to a certain management target. The policy definition information 530 includes a policy ID 531, a policy name 532, and a status 533.
The policy ID 531 is identification data for uniquely identifying a policy.
The policy name 532 is data describing the name of the policy.
The status 533 is data representing a policy state. The policy state is, for example, a state such as whether the policy is open to the public or edited.

The setting policy information 540 (setting policy table) is information representing individual security policies (setting policies) included in the security policy group defined by the policy definition information 530. The setting policy information 540 indicates a “should” state as a security setting of a target specified in the policy. One policy definition information 530 is associated with one or more setting policy information 540. The setting policy information 540 includes a setting ID 541, a policy ID 542, a setting name 543, and a security condition 544.
The setting ID 541 (setting policy ID) is identification data that uniquely identifies the setting policy.
The policy ID 542 is data indicating the policy definition information 530 associated with the setting policy information 540. The policy ID 542 is equal to the policy ID 531 of the policy definition information 530 associated with the setting policy information 540.
The setting name 543 (setting policy name) is data describing the name of the setting policy information 540.
The security condition 544 (security setting requirement) is data describing the “should” state of the management target defined by the setting policy information 540.

The execution action information 550 and the action definition information 560 are action information stored in the execution action storage unit 122.
The execution action information 550 (measure action table) is information describing an action to be executed in the case of a policy violation. The execution action information 550 is information related to a program to be executed when a condition defined by the setting policy information 540 is violated at the time of a security check. The execution action information 550 includes an action ID 551, a setting ID 552, a program ID 553, and a parameter 554.
The action ID 551 is identification data that uniquely identifies an action.
The setting ID 552 is data indicating setting policy information 540 associated with the execution action information 550. The setting ID 552 indicates the setting policy information 540 to be executed by the action described by the execution action information 550. The setting ID 552 is equal to the setting ID 541 of the setting policy information 540 associated with the execution action information 550.
The program ID 553 is data indicating the action definition information 560 associated with the execution action information 550. The program ID 553 is equal to the program ID 561 of the action definition information 560 associated with the execution action information 550.
The parameter 554 is data describing a parameter to be passed to a program defined by the action definition information 560 associated with the execution action information 550.

The action definition information 560 (measure action definition table) is information that specifically defines a program to be executed when an action is executed. The action definition information 560 indicates a program that executes the action specified by the execution action information 550. The action definition information 560 includes a program ID 561, an action name 562, and a program call name 563.
The program ID 561 is identification data that uniquely identifies a program.
The action name 562 is data describing the name of the action.
The program call name 563 is data for calling a program to be executed when the action is executed. The program call name 563 is data describing the path name and method name of the program to be executed, for example.

The attribute definition information 570 and the attribute information 580 are management target attribute information stored in the attribute storage unit 141.
The attribute definition information 570 (target information item definition table) is information that defines attributes (items managed as target information). The attribute definition information 570 includes an attribute ID 571, an attribute type 572, a target type 573, and an attribute name 574.
The attribute ID 571 is identification data that uniquely identifies the attribute.
The attribute type 572 is data describing the type of attribute defined by the attribute definition information 570. The attribute type indicates a range of values that the attribute can take, such as a numerical value, a character string, a date, and an IP address.
The target type 573 is data describing the type of a management target having an attribute defined by the attribute definition information 570.
The attribute name 574 is data describing the name of the attribute defined by the attribute definition information 570.

The attribute information 580 (target information table) is data describing attribute values of attributes of individual targets. The attribute is used to determine whether the management target satisfies the condition described by the extraction condition 513 of the extraction condition information 510. That is, the attribute information 580 is information for identifying a target at the time of security check. The attribute information 580 includes an item ID 581, a target ID 582, an attribute ID 583, and an attribute value 584.
The item ID 581 is identification data for uniquely identifying an item, and may not be present.
The target ID 582 is data indicating a target having the attribute described by the attribute information 580. A target ID is assigned to the target in order to uniquely identify the management target in advance. The target ID 582 is equal to the target ID of the target having the attribute described by the attribute information 580.

The attribute ID 583 is data indicating the attribute definition information 570 that defines the attribute described by the attribute information 580. The attribute ID 583 is equal to the attribute ID 571 of the attribute definition information 570 that defines the attribute described by the attribute information 580.
The attribute value 584 is data representing the value of the attribute described by the attribute information 580.

  Next, a specific example of information stored in the security operation management system 100 will be described.

FIG. 6 is a diagram showing a specific example of the policy definition information 530 stored in the policy storage unit 121 in this embodiment.
In this figure, policy definition information 530 is represented in a table format. The horizontal row represents one policy definition information 530. The vertical column represents each item (policy ID 531, policy name 532, status 533) of each policy definition information 530. When the policy storage unit 121 stores the policy definition information 530 in a database format, horizontal rows correspond to database records, and vertical columns correspond to database fields.

The policy ID 531 is fixed-length character string data such as “P00001”, “P00002”, “P00003”, “P00004”, and “P00005”. The policy ID 531 is automatically assigned by the security operation management system 100 when the policy administrator registers / edits a policy. For example, the policy ID 531 is different for each policy definition information 530 in order to uniquely identify the policy. Is attached.
The policy name 532 is, for example, variable-length character string data such as “company-wide policy”, “HR department policy”, “general affairs department policy”, “development department policy”, and “manager policy”. The policy name 532 is given to make it easier for the policy administrator to identify and understand the application target and contents of the policy. For example, when the policy administrator registers / edits a policy, the policy administrator When a policy administrator views and edits a policy by operating an input device such as a keyboard 902, a display device 901 such as a CRT displays the policy.
The status 533 is data such as “public” and “edit”, for example. The status 533 represents a state such as a policy operation status.

FIG. 7 is a diagram showing a specific example of the setting policy information 540 stored by the policy storage unit 121 in this embodiment.
As in FIG. 6, in this figure, the setting policy information 540 is represented in a table format. The horizontal row represents one setting policy information 540, and the vertical column represents each item (setting ID 541, policy ID 542, setting name 543, security condition 544) of each policy definition information 530.

  The setting ID 541 is fixed-length character string data such as “TP0001” and “TP0002”, for example. The setting ID 541 is automatically assigned by the security operation management system 100 when, for example, a policy administrator registers / edits a setting policy, and is different for each setting policy information 540 in order to uniquely identify the setting policy. A setting ID 541 is attached. When a setting policy is identified by a combination of the setting ID 541 and the policy ID 542, the setting ID 541 may overlap with the setting ID 541 of the setting policy information 540 having a different policy ID 542.

  The policy ID 542 is, for example, fixed-length character string data such as “P00001” and “P00002”, and is equal to the policy ID 531 of any policy definition information 530. For example, when a policy administrator registers / edits a setting policy, the policy operation manager 100 operates an input device such as the keyboard 902 to input a policy for associating the setting policy, and the security operation management system 100 responds based on the input content. The policy ID 531 of the policy definition information 530 describing the attached policy is acquired and set.

  The setting name 543 is variable-length character string data such as “Usage OS restriction” and “Antivirus software use”, for example. The setting name 543 is given to make it easier for the policy administrator to identify and understand the contents of the setting policy. For example, when the policy administrator registers / edits the setting policy, the policy administrator uses the keyboard. When a policy administrator views and edits a setting policy by operating an input device such as 902, a display device 901 such as a CRT displays.

  The security condition 544 is variable-length character string data such as “OS service pack (XP) ≧ SP1 or OS service pack (2000) ≧ SP1” and “anti-virus software pattern ≧ 4.330”. The security condition 544 is data describing conditions for determining whether the target to which the setting policy is applied conforms to the policy. For example, when the policy administrator registers / edits the setting policy When the policy manager operates and inputs an input device such as the keyboard 902, and the policy manager views and edits the setting policy, the display device 901 such as a CRT displays. A description format and grammar that can be easily understood by the policy manager are determined in advance to help the policy manager input, and the security conditions 544 are described accordingly. The description format of the security condition 544 may be a format closer to a natural language, or may be a format suitable for database processing, such as a format conforming to the SQL statement description format.

  As shown in this example, the setting policy represents each specific security policy. Usually, a combination of a plurality of setting policies is applied to the management target, and the same combination is applied to the same type of management target. Therefore, a combination of a plurality of setting policies is defined as one policy and managed as a policy and one or more setting policies corresponding to the policy.

FIG. 8 is a diagram showing a specific example of the execution action information 550 stored in the execution action storage unit 122 in this embodiment.
6 and 7, the execution action information 550 is represented in a table format, the horizontal row represents one execution action information 550, and the vertical column represents each item (action ID 551, setting ID 552, Program ID 553, name 555, value 556).

  The action ID 551 is fixed-length character string data such as “AC0001” and “AC0002”, for example. For example, when the policy manager registers / edits an action, the action ID 551 is automatically assigned by the security operation management system 100. In order to uniquely identify the action, a different action ID 551 for each execution action information 550 is provided. Attached.

  The setting ID 552 is fixed-length character string data such as “TP0001” and “TP0002”, for example, and is equal to the setting ID 541 of any setting policy information 540. For example, when a policy manager registers / edits an action, he / she operates an input device such as the keyboard 902 to input a setting policy for associating the action, and the security operation management system 100 associates the action based on the input content. The setting ID 541 of the setting policy information 540 describing the set setting policy is acquired and set.

  The program ID 553 is, for example, fixed-length character string data such as “PG0001” and “PG0002”, and is equal to the program ID 561 of any action definition information 560. For example, when the policy administrator registers / edits an action, the program is executed by operating the input device such as the keyboard 902, and the security operation management system 100 performs the action based on the input content. The program ID 561 of the action definition information 560 that defines the program to be executed is acquired and set.

Name 555 and value 556 are examples of parameters 554.
The name 555 is variable-length character string data such as “From” and “To”, for example, and is the name of a parameter to be passed to the program indicated by the program ID 553.
The value 556 is variable-length character string data such as “admin @ XXX” and “user @ XXX”, and is a parameter value to be passed to the program indicated by the program ID 553.

FIG. 9 is a diagram showing a specific example of the action definition information 560 stored in the execution action storage unit 122 in this embodiment.
As in FIGS. 6 to 8, in this figure, the action definition information 560 is represented in a table form, the horizontal row indicates one action definition information 560, and the vertical column indicates each item (program ID 561, action name 562, Represents the program call name 563).

The program ID 561 is fixed-length character string data such as “PG0000” and “PG0001”. For example, when the policy manager registers / edits a program, the program ID 561 is automatically assigned by the security operation management system 100. In order to uniquely identify the program, a different program ID 561 is used for each action definition information 560. Attached.
The action name 562 is, for example, variable-length character string data such as “do nothing” or “send mail”. The action name 562 is given to make it easier for the policy manager to identify and understand the function of the program. When the policy manager registers / changes the program, the policy manager inputs the keyboard 902 or the like. When a policy administrator registers and edits an action by operating the device, a display device 901 such as a CRT displays the action.
The program call name 563 is variable-length character string data such as “actionNoAction” and “actionSendMail”. The program call name 563 indicates the substance of the program such as the path name and method name of the program to be executed, and is data necessary for calling the program.
By adding actions defined by the action definition information 560, it is possible to increase the types of actions later.

FIG. 10 is a diagram showing a specific example of the extraction condition information 510 stored in the extraction condition storage unit 133 according to this embodiment.
Similar to FIGS. 6 to 9, in this figure, the extraction condition information 510 is represented in a table format, the horizontal row indicates one extraction condition information 510, and the vertical column indicates each item (group ID 511, group name 512, This represents the extraction condition 513).

  The group ID 511 is fixed-length character string data such as “TG0001” and “TG0002”, for example. For example, when the policy manager registers / edits a group, the group ID 511 is automatically assigned by the security operation management system 100. In order to uniquely identify the group, a different group ID 511 is used for each extraction condition information 510. Attached.

  The group name 512 is variable-length character string data such as “Company-wide PC” and “Personnel Department PC”, for example. The group name 512 is given to make it easier for the policy manager to identify and understand the object represented by the group. When the policy manager registers / edits the group, the policy manager uses the keyboard 902 or the like. When a policy manager views and edits a group by operating the input device, the display device 901 such as a CRT displays.

  The extraction condition 513 is, for example, variable-length character string data such as “(location = A building or location = B building) and device type = PC”, “management organization = personnel and device type = PC”. The extraction condition 513 is data describing conditions for determining whether or not the management target belongs to the group. For example, when the policy manager registers / edits a group, the policy manager uses the keyboard 902 or the like. When a policy manager views and edits a group by operating the input device, the display device 901 such as a CRT displays. As with the security condition 544, the extraction condition 513 is defined according to a description format and grammar that are easy to understand for the policy manager in order to assist the policy manager. The description format of the extraction condition 513 may be a format closer to a natural language, or may be a format suitable for database processing, such as a format conforming to the SQL statement description format.

  Management targets that satisfy the conditions described by the extraction condition 513 are grouped and managed by the group ID 511. The same security policy is applied to management targets belonging to one group.

FIG. 11 is a diagram illustrating a specific example of the condition correspondence information 520 stored in the condition correspondence storage unit 132 according to this embodiment.
Similar to FIGS. 6 to 10, in this figure, the condition correspondence information 520 is represented in a table format, the horizontal row indicates one condition correspondence information 520, and the vertical column indicates each item (correspondence ID 521, policy ID 522, group ID523).

  The correspondence ID 521 is fixed-length character string data such as “C0001” and “C0002”, for example. The correspondence ID 521 is automatically assigned by the security operation management system 100 when, for example, a policy administrator registers / edits a group, and is different for each condition correspondence information 520 in order to uniquely identify the condition correspondence information 520. Correspondence ID 521 is attached.

  The policy ID 522 is fixed-length character string data such as “P00001” and “P00002”, for example, and is equal to the policy ID 531 of any policy definition information 530. For example, when a policy administrator registers / edits a group, a policy to be applied to the group is input by operating an input device such as the keyboard 902, and the security operation management system 100 applies the policy to the group based on the input content. The policy ID 531 of the policy definition information 530 describing the policy is acquired and set.

  The group ID 523 is fixed-length character string data such as “TG0001” and “TG0002”, for example, and is equal to the group ID 511 of any extraction condition information 510. For example, when a policy administrator registers / edits a group, the group to which the policy is applied is input by operating an input device such as the keyboard 902, and the security operation management system 100 applies the policy based on the input content. The group ID 511 of the extraction condition information 510 describing the group is acquired and set.

  The condition correspondence information 520 indicates that the policy definition information 530 indicated by the policy ID 522 and the extraction condition information 510 indicated by the group ID 523 are mapped. That is, it represents that the security policy described by the policy definition information 530 indicated by the policy ID 522 is applied to the management target grouped by the condition described by the extraction condition information 510 indicated by the group ID 523.

FIG. 12 is a diagram illustrating a specific example of the attribute information 580 stored in the attribute storage unit 141 according to this embodiment.
Similar to FIGS. 6 to 11, in this figure, the attribute information 580 is represented in a table format, the horizontal row indicates one attribute information 580, and the vertical column indicates each item (item ID 581, target ID 582, attribute ID 583, Represents the attribute value 584).

  The item ID 581 is, for example, fixed-length character string data such as “V0000” and “V0001”. The item ID 581 is automatically assigned by the security operation management system 100 when, for example, the system administrator registers / changes an attribute to be managed, and for each attribute information 580 to uniquely identify the attribute information 580. Different item IDs 581 are attached.

  The target ID 582 is, for example, fixed-length character string data such as “AST0001” and “AST0002”, and is equal to any of the target IDs assigned to the management targets in advance in order to uniquely identify the management target in the network system 800. For example, when a system administrator registers / changes an attribute to be managed, the management target for setting an attribute value is input by operating an input device such as the keyboard 902, and the security operation management system 100 is based on the input content. Thus, the object ID assigned to the management object for which the attribute value is set is acquired and set.

  The attribute ID 583 is, for example, fixed-length character string data such as “A00000” and “A00001”, and is equal to the attribute ID 571 of any attribute definition information 570. For example, when the system administrator registers / changes an attribute to be managed, the attribute to be set as the management target is input by operating an input device such as the keyboard 902, and the security operation management system 100 is based on the input content. The attribute ID 571 of the attribute definition information 570 that defines the attribute to be set as the management target is acquired and set.

  The attribute value 584 is, for example, variable-length character string data such as “device”, “AST0001”, and “HOST01”. The attribute value 584 is input by operating the input device such as the keyboard 902 when the system administrator registers / edits the attribute, and the display device 901 such as CRT when the system administrator views / edits the attribute. Is displayed.

FIG. 13 is a diagram showing a specific example of the attribute definition information 570 stored in the attribute storage unit 141 in this embodiment.
Similar to FIGS. 6 to 12, in this figure, the attribute definition information 570 is represented in a table format, the horizontal row represents one attribute definition information 570, and the vertical column represents each item (attribute ID 571, attribute type 572, Represents an object type 573 and an attribute name 574).

  The attribute ID 571 is fixed-length character string data such as “A00000” and “A00001”, for example. The attribute ID 571 is automatically assigned by the security operation management system 100 when, for example, the system administrator registers / edits the attribute definition information 570. The attribute ID information 570 uniquely identifies the attribute definition information 570. A different attribute ID 571 is assigned to each.

The attribute type 572 is, for example, character string data such as “character string” and “IP address”. Alternatively, a code (numerical value) corresponding to “character string”, “IP address”, or the like may be determined in advance, and the attribute type 572 may be numerical data representing a predetermined code. For example, when the system administrator registers / edits the attribute definition information 570, the attribute type 572 is input by operating an input device such as the keyboard 902, and when the system administrator views / edits the attribute definition information 570, Displayed on a display device 901 such as a CRT.
The attribute type 572 is used as follows, for example. When the system administrator registers / edits an attribute, the security operation management system 100 determines whether the input attribute value is an appropriate value as the attribute value of the attribute based on the attribute type 572, and If not, request re-entry.

The target type 573 is, for example, character string data such as “all” and “device”. Alternatively, codes (numerical values) corresponding to “all”, “devices”, and the like may be determined in advance, and the target type 573 may be numerical data representing a predetermined code. For example, when the system administrator registers / edits the attribute definition information 570, the target type 573 is input by operating an input device such as the keyboard 902, and when the system administrator views / edits the attribute definition information 570. Displayed on a display device 901 such as a CRT.
The target type 573 is used as follows, for example. When the system administrator registers / edits attributes, the security operation management system 100 generates a list of attributes that can be set for the management target based on the target type 573, and displays the generated list as a display device 901 such as a CRT. Is displayed and allows the system administrator to select an attribute to be set.

  The attribute name 574 is, for example, variable-length character string data such as “type”, “asset number”, and “asset name”. The attribute name 574 is given to make it easier for the system administrator to understand the contents represented by the attribute. For example, when the system administrator registers / edits the attribute definition information 570, the attribute name 574 is input from the keyboard 902 or the like. When the system management company registers and edits the attribute by operating the device, the display device 901 such as a CRT displays it.

  Next, the operation of the security operation management system 100 will be described.

FIG. 14 is a flowchart showing an example of the flow of security check processing in which the security operation management system 100 according to this embodiment checks the security of the network system 800.
The security check process is repeatedly executed, for example, periodically (for example, once a day). As a result, policy violations can be detected and dealt with early. In order to reduce the load on the network 300, the repetition cycle may be lengthened, and in order to improve safety, the repetition cycle may be shortened. Also, the policy administrator may operate the input device such as the keyboard 902 to cause the security operation management system 100 to execute a security check process, or the security operation management system 100 has a built-in timer. The security check process may be automatically executed when a predetermined time has elapsed.

In the first loop L1, the security operation management system 100 processes the policy definition information 530 stored in the policy storage unit 121 one by one using a processing device such as the CPU 911, and processes all the policy definition information 530. Repeat until the process is complete.
The first loop L1 is a process of repeating each process of the policy acquisition step S11, the policy list acquisition step S12, the extraction condition acquisition step S13, the target list acquisition step S14, and the second loop L2.

  In the policy acquisition step S11, the policy acquisition unit 111 acquires one unprocessed policy definition information 530 from the policy definition information 530 stored in the policy storage unit 121 using a processing device such as the CPU 911. If there is no unprocessed policy definition information 530 in the policy definition information 530 stored in the policy storage unit 121, the first loop L1 is exited and the security check process is terminated.

In the policy list acquisition step S12, the policy acquisition unit 111 uses a processing device such as the CPU 911 to associate the policy definition information 530 acquired in the policy acquisition step S11 from the setting policy information 540 stored in the policy storage unit 121. A list of setting policy information 540 that has been set is acquired. Details of the processing of the policy list acquisition step S12 are, for example, the following procedure.
First, the policy acquisition unit 111 acquires a policy ID 531 from the policy definition information 530 acquired in the policy acquisition step S11 using a processing device such as the CPU 911.
Next, the policy acquisition unit 111 uses a processing device such as the CPU 911 to generate policy list generation request data for requesting the policy storage unit 121 to generate a policy list. The policy list generation request data is, for example, data described in a format such as an SQL sentence, and the setting policy in which the policy ID 542 is equal to the acquired policy ID 531 from the setting policy information 540 stored in the policy storage unit 121. Information 540 is extracted, and a policy list in which setting IDs 541 included in the extracted setting policy information 540 are listed is generated and requested to be sent to the policy acquisition unit 111.
The policy acquisition unit 111 sends the generated policy list generation request data to the policy storage unit 121 using a processing device such as the CPU 911.
The policy storage unit 121 acquires the policy list generation request data sent by the policy acquisition unit 111 using a processing device such as the CPU 911.
The policy storage unit 121 analyzes the acquired policy list generation request data using a processing device such as the CPU 911, and performs the processing requested by the policy acquisition unit 111 based on the analysis result. That is, the policy storage unit 121 uses the processing device such as the CPU 911 among the setting policy information 540 stored using a storage device such as the magnetic disk device 920 to set the setting policy information 540 whose policy ID 542 is equal to the policy ID 531. Extract. The policy storage unit 121 acquires a setting ID 541 from the extracted setting policy information 540 using a processing device such as the CPU 911, and enumerates the acquired setting ID 541 to generate a policy list. The policy storage unit 121 sends the generated policy list to the policy acquisition unit 111 using a processing device such as the CPU 911.
The policy acquisition unit 111 acquires the policy list sent by the policy acquisition unit 111 using a processing device such as the CPU 911.

  In the extraction condition acquisition step S13, the extraction condition acquisition unit 112 uses the processing device such as the CPU 911 to extract the policy definition information 530 acquired in the policy acquisition step S11 from the extraction condition information 510 stored in the extraction condition storage unit 133. The extraction condition 513 included in the extraction condition information 510 corresponding to is acquired.

  FIG. 15 is a flowchart showing an example of details of processing in the extraction condition acquisition step S13 in which the extraction condition acquisition unit 112 acquires the extraction condition information 510 in this embodiment.

  In the policy ID acquisition step S31, the extraction condition acquisition unit 112 acquires a policy ID 531 from the policy definition information 530 acquired in the policy acquisition step S11 using a processing device such as the CPU 911.

In the condition correspondence information search step S32, the condition correspondence storage unit 132 uses the processing device such as the CPU 911 to select the policy ID 522 from the stored condition correspondence information 520 and the extraction condition acquisition unit 112 in the policy ID acquisition step S31. The condition correspondence information 520 that matches the acquired policy ID 531 is searched.
For example, the extraction condition acquisition unit 112 uses a processing device such as the CPU 911 to generate condition correspondence information search request data for requesting the condition correspondence storage unit 132 to search for the condition correspondence information 520. The condition correspondence information search request data is, for example, data described in a format such as an SQL sentence. From the condition correspondence information 520 stored in the condition correspondence storage unit 132, the policy ID 522 is the policy ID acquisition step S31. The condition correspondence information 520 that is the same as the acquired policy ID 531 is extracted, and the group ID 523 (list) of the extracted condition correspondence information 520 is requested to be sent to the extraction condition acquisition unit 112.
The extraction condition acquisition unit 112 sends the generated condition correspondence information search request data to the condition correspondence storage unit 132 using a processing device such as the CPU 911. The condition correspondence storage unit 132 acquires the condition correspondence information search request data sent by the extraction condition acquisition unit 112 using a processing device such as the CPU 911.
The condition correspondence storage unit 132 analyzes the acquired condition correspondence information search request data using a processing device such as the CPU 911, and performs the requested process based on the analysis result. That is, the condition correspondence storage unit 132 uses the processing device such as the CPU 911 among the condition correspondence information 520 stored using the storage device such as the magnetic disk device 920, and the condition correspondence information 520 where the policy ID 522 is equal to the policy ID 531. To extract.

In the group ID acquisition step S33, the extraction condition acquisition unit 112 acquires the group ID 523 from the condition correspondence information 520 searched by the condition correspondence storage unit 132 in the condition correspondence information search step S32 using a processing device such as the CPU 911.
For example, the condition correspondence storage unit 132 acquires the group ID 523 from the condition correspondence information 520 extracted in the condition correspondence information search step S32 using a processing device such as the CPU 911.
The condition correspondence storage unit 132 sends the acquired group ID 523 (list thereof) to the extraction condition acquisition unit 112 using a processing device such as the CPU 911. The extraction condition acquisition unit 112 acquires the group ID 523 sent by the condition correspondence storage unit 132 using a processing device such as the CPU 911.
Thereby, the group ID 523 assigned to the policy ID 531 acquired in the policy ID acquisition step S31 is obtained.

In the extraction condition information search step S34, the extraction condition storage unit 133 uses a processing device such as the CPU 911 to extract the group ID 511 from the stored extraction condition information 510 and the extraction condition acquisition unit 112 in the group ID acquisition step S33. The extraction condition information 510 that matches the acquired group ID 523 is searched.
For example, the extraction condition acquisition unit 112 uses the processing device such as the CPU 911 to generate extraction condition information search request data that requests the extraction condition storage unit 133 to search for the extraction condition information 510. The extraction condition information search request data is, for example, data described in a format such as an SQL sentence, and the group ID 511 is extracted from the extraction condition information 510 stored in the extraction condition storage unit 133 in the group ID acquisition step S33. The extraction condition information 510 equal to the acquired group ID 523 is extracted, and the extraction condition 513 (list) of the extracted extraction condition information 510 is requested to be sent to the extraction condition acquisition unit 112.
The extraction condition acquisition unit 112 sends the generated extraction condition information search request data to the extraction condition storage unit 133 using a processing device such as the CPU 911. The extraction condition storage unit 133 acquires the extraction condition information search request data sent by the extraction condition acquisition unit 112 using a processing device such as the CPU 911.
The extraction condition storage unit 133 analyzes the acquired extraction condition information search request data using a processing device such as the CPU 911, and performs the requested process based on the analysis result. That is, the extraction condition storage unit 133 extracts the extraction condition information 510 in which the group ID 511 is equal to the group ID 523 from the extraction condition information 510 stored using a storage device such as the magnetic disk device 920.

In the extraction condition acquisition step S35, the extraction condition acquisition unit 112 acquires the extraction condition 513 from the extraction condition information 510 searched by the extraction condition storage unit 133 in the extraction condition information search step S34 using a processing device such as the CPU 911. .
For example, the extraction condition storage unit 133 acquires the extraction condition 513 from the extraction condition information 510 extracted in the extraction condition information search step S34 using a processing device such as the CPU 911.
The extraction condition storage unit 133 sends the acquired extraction conditions 513 (a list thereof) to the extraction condition acquisition unit 112 using a processing device such as the CPU 911. The extraction condition acquisition unit 112 acquires the extraction condition 513 sent by the extraction condition storage unit 133 using a processing device such as the CPU 911.
Thereby, the extraction condition 513 assigned to the policy ID 531 acquired in the policy ID acquisition step S31 is obtained.

  Returning to FIG. 14, the description of the security check process will be continued.

  In the target list acquisition step S14, the management target extraction unit 113 satisfies the extraction condition 513 acquired in the extraction condition acquisition step S35 based on the attribute information 580 stored in the attribute storage unit 141 using a processing device such as the CPU 911. Get the managed list.

  FIG. 16 is a flowchart showing an example of details of the processing in the target list acquisition step S14 in which the management target extraction unit 113 in this embodiment acquires a list of management targets that satisfy the extraction condition 513.

In the SQL generation step S41, the management target extraction unit 113 generates a SQL sentence based on the extraction condition 513 acquired by the extraction condition acquisition unit 112 in the extraction condition acquisition step S13 using a processing device such as the CPU 911. The SQL statement generated by the management target extraction unit 113 extracts attribute information 580 that satisfies the extraction condition 513 acquired by the extraction condition acquisition unit 112 in the extraction condition acquisition step S13 from the attribute information 580 stored by the attribute storage unit 141. Then, a target list in which the target IDs 582 included in the extracted attribute information 580 are listed is generated and requested to be sent to the management target extraction unit 113.
The management target extraction unit 113 sends the generated SQL sentence to the attribute storage unit 141 using a processing device such as the CPU 911.

In the attribute information search step S42, the attribute storage unit 141 searches for the attribute information 580 based on the SQL sentence generated by the management target extraction unit 113 in the SQL generation step S41 using a processing device such as the CPU 911.
For example, the attribute storage unit 141 uses a processing device such as the CPU 911 to acquire the SQL sentence sent by the management target extraction unit 113 in the SQL generation step S41. The attribute storage unit 141 analyzes the acquired SQL sentence using a processing device such as the CPU 911 and performs the requested process based on the analysis result. That is, the attribute storage unit 141 extracts attribute information 580 that satisfies the extraction condition 513 using a processing device such as the CPU 911 from the attribute information 580 stored using a storage device such as the magnetic disk device 920.

  In the target ID acquisition step S43, the attribute storage unit 141 acquires the target ID 582 from the attribute information 580 searched (extracted) in the attribute information search step S42 using a processing device such as the CPU 911.

In the target list generation step S44, the attribute storage unit 141 uses a processing device such as the CPU 911 to enumerate the target IDs 582 acquired in the target ID acquisition step S43 and generate a target list.
The attribute storage unit 141 uses the processing device such as the CPU 911 to send the generated target list to the management target extraction unit 113.

In the list acquisition step S45, the management target extraction unit 113 acquires the target list sent by the attribute storage unit 141 in the target list generation step S44 using a processing device such as the CPU 911.
As a result, a list of management targets to be checked is obtained based on the extraction condition 513.

  Returning to FIG. 14, the description of the security check process will be continued.

In the second loop L2, the security operation management system 100 performs processing one by one for the management targets indicated by the target IDs 582 listed in the target list acquired by the management target extraction unit 113 in the target list acquisition step S14. The process is repeated until the process for the management target is completed.
The second loop L2 is a process for repeating the processes of the object selection step S15 and the third loop L3.

  In the target selection step S15, the management target extraction unit 113 acquires one unprocessed target ID 582 (check target) from the target list acquired in the target list acquisition step S14 using a processing device such as the CPU 911. If there is no unprocessed target ID 582 among the target IDs 582 listed in the target list acquired in the target list acquisition step S14, the second loop L2 is exited and the next process (repetition of the first loop L1) is performed. Proceed to (Process).

In the third loop L3, the security operation management system 100 processes the setting policy information 540 having the setting IDs 541 listed in the policy list acquired in the policy list acquisition step S12 one by one, and sets all the setting policy information 540. Repeat the process until the process is finished.
The third loop L3 is a process of repeating each process of the setting policy acquisition step S16, the state acquisition step S17, the policy violation determination step S18, the action acquisition step S19, and the action execution step S20.

In the setting policy acquisition step S16, the policy acquisition unit 111 uses the processing device such as the CPU 911 to acquire the target acquired in the target selection step S15 from the setting IDs 541 listed in the policy list acquired in the policy list acquisition step S12. One unprocessed setting ID 541 is acquired for the management target indicated by the ID 582. If there is no unprocessed setting ID 541 among the setting IDs 541 listed in the policy list acquired in the policy list acquisition step S12, the process of the third loop L3 is skipped and the next process (second loop L2) is performed. (Repeat processing).
The policy acquisition unit 111 acquires setting policy information 540 in which the setting ID 541 is equal to the acquired setting ID 541 from the setting policy information 540 stored in the policy storage unit 121 using a processing device such as the CPU 911.

In the state acquisition step S17, the state acquisition unit 114 acquires the state of the management target indicated by the target ID 582 acquired by the management target extraction unit 113 in the target selection step S15 using a processing device such as the CPU 911.
For example, the state acquisition unit 114 acquires the security condition 544 from the setting policy information 540 acquired by the policy acquisition unit 111 in the setting policy acquisition step S16 using a processing device such as the CPU 911.
The state acquisition unit 114 uses a processing device such as the CPU 911 to determine the type of state (security setting item) that needs to be known in order to determine whether the management target satisfies the condition described by the acquired security condition 544. Is determined.
The state acquisition unit 114 uses a processing device such as the CPU 911 for a management target (hereinafter referred to as “selection management target”) identified by the target ID 582 acquired by the management target extraction unit 113 in the target selection step S15. Then, status transmission request data for requesting transmission of a value (contents of security setting) regarding the status of the determined type is generated.
The status acquisition unit 114 transmits the generated status transmission request data via the network 300 to the client device that is the target of selection management among the client devices 200a to 200c, using a processing device such as the CPU 911.
The client device that is the target of selection reception uses the processing device such as the CPU 911 to receive the state transmission request data transmitted by the security operation management system 100 (the state acquisition unit 114).
The client device that is the target of selection analysis uses the processing device such as the CPU 911 to analyze the received status transmission request data and determines the type of status to be transmitted to the security operation management system 100 based on the analysis result. To do.
The client device that is the target of selection management uses a processing device such as the CPU 911 to acquire a value for the determined state type.
The client device that is the target of selection transmission uses the processing device such as the CPU 911 to transmit the acquired value to the security operation management system 100.
The state acquisition unit 114 receives the value of the state transmitted by the client device that is the target of selection management using a processing device such as the CPU 911.

Note that the client device uses a processing device such as the CPU 911 to execute an agent program in advance to acquire a value of a state that may be transmitted to the security operation management system 100, and from the security operation management system 100. When there is a request, it is good also as transmitting the value of the state acquired beforehand.
Alternatively, the client device uses a processing device such as the CPU 911 to transmit the value of the state acquired in advance to the security operation management system 100, and the security operation management system 100 receives the value to obtain a magnetic disk. The state acquisition unit 114 may acquire the state value stored in advance without communicating with the client device, using a storage device such as the device 920. The target information database storage unit 140 may store the state values collected in advance. Further, information collected in advance by another asset management tool or the like may be stored and acquired by the state acquisition unit 114.

In the policy violation determination step S18, the policy violation extraction unit 115 uses a processing device such as the CPU 911 to determine whether or not the selection management target conforms to the security policy.
For example, the policy violation extraction unit 115 acquires the security condition 544 from the setting policy information 540 acquired by the policy acquisition unit 111 in the setting policy acquisition step S16 using a processing device such as the CPU 911.
The policy violation extraction unit 115 selects a condition described in the acquired security condition 544 based on the value of the state acquired by the state acquisition unit 114 in the state acquisition step S17 using a processing device such as the CPU 911. Whether or not is satisfied.
When it is determined that the selection management target does not satisfy the condition described in the acquired security condition 544, the action proceeds to the action acquisition step S19 and the action execution step S20 as a policy violation, and the action is executed.
If it is determined that the selection management target satisfies the condition described in the acquired security condition 544, the action acquisition step S19 and the action execution step S20 are skipped as policy conformance, and the next process (first step) is executed without executing the action. Proceed to the repetitive processing of three loop L3.

In the action acquisition step S19, the action acquisition unit 116 acquires the policy acquisition unit 111 in the setting policy acquisition step S16 from the execution action information 550 stored in the execution action storage unit 122 using a processing device such as the CPU 911. The setting policy information 540 describing the action to be executed when the selection management target violates the security policy described in the setting policy information 540 is acquired.
For example, the action acquisition unit 116 acquires the setting ID 541 from the setting policy information 540 acquired by the policy acquisition unit 111 in the setting policy acquisition step S16 using a processing device such as the CPU 911.
The action acquisition unit 116 generates action search request data for requesting the execution action storage unit 122 to search the execution action information 550 using a processing device such as the CPU 911. The action search request data is, for example, data described in a format such as an SQL sentence, and the execution action having the setting ID 552 equal to the acquired setting ID 541 from the execution action information 550 stored in the execution action storage unit 122. It requests that the information 550 be extracted and sent to the action acquisition unit 116.
The action acquisition unit 116 sends the generated action search request data to the execution action storage unit 122 using a processing device such as the CPU 911. The execution action storage unit 122 acquires action search request data sent by the action acquisition unit 116 using a processing device such as the CPU 911.
The execution action storage unit 122 analyzes the acquired action search request data using a processing device such as the CPU 911 and performs the requested process based on the analysis result. That is, the execution action storage unit 122 extracts the execution action information 550 having the setting ID 552 equal to the setting ID 541 from the execution action information 550 stored using a storage device such as the magnetic disk device 920.
The execution action storage unit 122 sends the extracted execution action information 550 to the action acquisition unit 116 using a processing device such as the CPU 911. The action acquisition unit 116 acquires the execution action information 550 sent by the execution action storage unit 122 using a processing device such as the CPU 911.

In the action execution step S20, the action execution unit 117 uses a processing device such as the CPU 911 to execute an action on the management target determined as a policy violation based on the execution action information 550 acquired in the action acquisition step S19. .
For example, the action execution unit 117 acquires the program ID 553 and the parameter 554 from the execution action information 550 acquired by the action acquisition unit 116 in the action acquisition step S19 using a processing device such as the CPU 911.
The action execution unit 117 uses a processing device such as the CPU 911 to call the program call included in the action definition information 560 in which the program ID 561 is equal to the acquired program ID 553 from the action definition information 560 stored in the execution action storage unit 122. The name 563 is acquired.
The action execution unit 117 calls a program based on the acquired program call name 563 using a processing device such as the CPU 911, passes parameters to the called program based on the acquired parameter 554, and executes them.
Note that the program executed by the action execution unit 117 may be executed by the security operation management system 100 as in the case of sending an email to an administrator who is subject to the policy violation selection management target. The client device may be executed by a client device that is the object of the violation selection management target, such as when a predetermined program is installed.

  As described above, if the management target is a policy violation, the countermeasure program can be automatically executed to force the management target to conform to the policy, or the management target can be notified and managed. You can also call attention to make the subject fit the policy.

  Next, the effect of the security operation management system 100 in this embodiment will be described.

The security operation management system 100 (management device) in this embodiment is:
A management device (security operation) that includes a storage device such as a magnetic disk device 920 that stores information and a processing device such as a CPU 911 that processes information, and manages the management targets (client devices 200a to 200c) so as to satisfy the security policy. In the management system 100)
Policy storage unit 121, attribute storage unit 141, extraction condition storage unit 133, execution action storage unit 122, management target extraction unit 113, status acquisition unit 114, policy violation extraction unit 115, and action execution unit 117 It is characterized by having.
The policy storage unit 121 uses the storage device to store security condition information (policy definition information 530 and setting policy information 540) describing conditions to be satisfied by the management target.
The attribute storage unit 141 stores management target attribute information (attribute definition information 570 and attribute information 580) describing the attributes of the management target using the storage device.
The extraction condition storage unit 133 uses the storage device to store management target extraction condition information (extraction condition information 510) that describes conditions for extracting a management target that satisfies the conditions described in the security condition information. It is characterized by that.
The execution action storage unit 122 stores, using the storage device, execution action information 550 describing an action to be executed when the management target does not satisfy the condition described in the security condition information. Features.
Based on the management target attribute information stored in the attribute storage unit 141 using the processing device, the management target extraction unit 113 uses the conditions described in the management target extraction condition information stored in the extraction condition storage unit 133. It is characterized by extracting a management target that satisfies the above.
The status acquisition unit 114 acquires the status of the management target for the management target extracted by the management target extraction unit 113 using the processing device.
The policy violation extraction unit 115 is a management target that does not satisfy the condition described in the security condition information stored in the policy storage unit 121 based on the state acquired by the state acquisition unit 114 using the processing device. Is extracted.
The action execution unit 117 executes the action described in the execution action information 550 stored in the execution action storage unit 122 for the management target extracted by the policy violation extraction unit 115 using the processing device. Features.

  The security condition information (policy definition information 530 and setting policy information 540) stored by the policy storage unit 121 does not include data for directly specifying a management target to which the security policy is applied. The management target to which the security policy is applied is described in the extraction condition information 510 stored in the extraction condition storage unit 133 based on the management target attribute information (attribute definition information 570 and attribute information 580) stored in the attribute storage unit 141. The management target extraction unit 113 extracts management targets that satisfy the conditions.

Therefore, when the security policy to be applied to the management target changes due to organizational reform, personnel changes, network configuration changes, etc., the security condition information (policy information) stored in the policy storage unit 121 or the extraction condition storage unit 133 It is not necessary to change the stored management target extraction condition information, and it is only necessary to change the management target attribute information stored in the attribute storage unit 141.
Further, when the same security policy is applied to a plurality of network systems 800 operating at remote locations, the same policy definition information 530, setting policy information 540, and extraction condition information 510 can be shared.
Therefore, the burden on the policy manager is reduced, and the management cost of the network system 800 can be reduced. In addition, since the risk of overlooking policy violations due to an input error of the policy manager or the like is reduced, the security of the network system 800 can be improved.

Further, the management target attribute information stored in the attribute storage unit 141 can be used not only in the security operation management system 100 but also in other systems that manage the network system 800. Therefore, access to the attribute storage unit 141 from another system may be permitted.
On the other hand, when other system already stores the management target attribute information, the attribute storage unit 141 may store a copy of the management target attribute information, or the other system storing the management target attribute information. The attribute storage unit 141 may be used.
As a result, it is possible to reduce the trouble of inputting information and save the storage capacity of the storage device.

The security operation management system 100 (management apparatus) in this embodiment further includes a condition correspondence storage unit 132 and an extraction condition acquisition unit 112.
The policy storage unit 121 stores a plurality of security condition information (policy information) using the storage device.
The extraction condition storage unit 133 stores a plurality of management target extraction condition information (extraction condition information 510) using the storage device.
The condition correspondence storage unit 132 is described in each of the plurality of management target extraction condition information stored in the extraction condition storage unit 133 among the plurality of security condition information stored in the policy storage unit using the storage device. Security condition information describing a condition to be satisfied by a management target extracted by the condition and condition correspondence information 520 describing a correspondence between the management target extraction condition information and the management target extraction condition information are stored.
The extraction condition acquisition unit 112 is described in each of the plurality of security condition information stored in the policy storage unit 121 based on the condition correspondence information 520 stored in the condition correspondence storage unit 132 using the processing device. Management object extraction condition information (extraction condition information 510) describing a condition for extracting a management object that satisfies a condition is acquired from a plurality of management object extraction condition information stored in the extraction condition storage unit 133. And
The management object extraction unit 113 uses the processing device to extract the extraction condition for each of a plurality of security condition information stored in the policy storage unit 121 based on the management object attribute information stored in the attribute storage unit 141. A management target that satisfies the conditions described in the management target extraction condition information acquired by the acquisition unit 112 is extracted.

  The security condition information (policy definition information 530 and setting policy information 540) stored by the policy storage unit 121 includes not only information for directly specifying a management target but also information regarding a condition for extracting the management target. The management target extraction condition information (extraction condition information 510) describing the conditions for extracting the management target is stored in the extraction condition storage unit 133 and managed separately from the security condition information. The condition correspondence storage unit 132 stores the condition correspondence information 520 describing the correspondence between the security condition information and the management target extraction condition information.

When attribute definitions and possible values of attributes change due to organizational restructuring or network configuration changes, not only management target attribute information (attribute definition information 570 and attribute information 580) is changed, but also extraction conditions are changed. There may be a need.
Since the security operation management system 100 (management apparatus) in this embodiment separately manages security condition information and management target extraction condition information, the policy information stored in the policy storage unit 121 in the above case (Policy definition information 530 and setting policy information 540) do not need to be changed, and management target extraction condition information (extraction condition information 510) stored in the extraction condition storage unit 133 need only be changed.
For this reason, the burden on the policy manager is further reduced, and the management cost of the network system 800 can be further reduced. Further, the risk of overlooking the policy violation due to an input error of the policy manager is further reduced, so that the security of the network system 800 can be further enhanced.

  The network system 800 in this embodiment includes the above-described management device (security operation management system 100) and target devices (client devices 200a to 200c) that are management targets of the management device.

  Since the network system 800 includes such a security operation management system 100, it is possible to discover and deal with policy violations of the client devices 200a to 200c without leaking. Thereby, the security of the network system 800 can be improved.

  The security operation management system 100 (management device) in this embodiment is configured such that a computer executes a program that causes a computer having a storage device that stores information and a processing device that processes information to function as the security operation management system 100. Is feasible.

  Such a program can reduce the burden on the policy administrator, reduce the management cost of the network system 800, and realize a management apparatus (security operation management system 100) that can improve the safety of the network system 800. Play.

A security operation management system 100 (a management device having a storage device such as a magnetic disk device 920 that stores information and a processing device such as a CPU 911 that processes information) in this embodiment is a management target (client devices 200a to 200c). The management method for managing the client to satisfy the security policy has the following characteristics.
The storage device
Security condition information (policy definition information 530 and setting policy information 540) describing conditions that the management target should satisfy;
Management target attribute information (attribute definition information 570 and attribute information 580) describing the attributes of the management target,
Management object extraction condition information (extraction condition information 510) describing a condition for extracting a management object that should satisfy the conditions described in the security condition information;
Execution action information 550 describing an action to be executed when the management target does not satisfy the condition described in the security condition information is stored.
The processing device is
Based on the management target attribute information stored in the storage device, extract a management target that satisfies the conditions described in the management target extraction condition information stored in the storage device,
Obtain the status of the management target for the extracted management target,
Based on the acquired state, extract the management target that does not satisfy the conditions described in the security condition information stored in the storage device,
For the extracted management target, the action described in the execution action information stored in the storage device is executed.

This changes the security condition information (policy information) and management target extraction condition information stored in the storage device when the security policy to be applied to the management target changes due to organizational reform, personnel changes, network configuration changes, etc. There is no need to change the management target attribute information.
Further, when the same security policy is applied to a plurality of network systems 800 operating at remote locations, the same policy information and management target extraction condition information can be shared.
Therefore, the burden on the policy manager is reduced, and the management cost of the network system 800 can be reduced. In addition, since the risk of overlooking policy violations due to an input error of the policy manager or the like is reduced, the security of the network system 800 can be improved.

The security operation management system 100 (policy-based security operation management system) described above is
Means for managing policies and database (policy database storage unit 120);
Means for managing group information of a security check target based on a policy and a database (target group database storage unit 130);
Means for managing information such as a device to be subjected to security check and a database (target information database storage unit 140);
A means (security check unit 110) for performing security check based on a policy for a specific device or the like is provided.

The security operation management system 100 described above is
A condition (extraction condition) for narrowing the security check targets from the database in order to group the security check targets in the means (target group database storage unit 130) for managing the group information of the security check target based on the policy It is characterized by using.

  As described above, the policy database (policy database storage unit 120) manages policy information, and the target group database (target group database storage unit 130) searches for target group information and target information to be assigned to the policy. In addition, the target information database (target information database storage unit 140) manages detailed information on the actual security check target, so that individual information can be managed independently. As a result, even if the information in the target information database is added or changed, it does not directly affect the information in the policy database. Therefore, when distributing a policy created in a higher security management organization to a lower security management organization. The upper security management organization can distribute the policy without worrying about the target information such as the information system configuration in the lower security management organization.

The security operation management system 100 described above is
Target information based on a condition for narrowing down the security check target to be managed immediately before the execution of the security check based on the policy in the means (security check unit 110) for performing the security check based on the policy for a specific device or the like It is characterized by acquiring.

  Thereby, a security check based on the latest target information can be performed by searching for and acquiring a check target using conditions in the target group at the time of a security check.

  As described above, the security check target based on the policy is grouped in advance independently of the policy, and the grouped information (target group ID) is managed as the target group information separately from the policy, so that the security policy is dynamically If a policy created by a higher-level security management organization can be deployed to a security operation management system operating in a lower-level security management organization or other business office Deploy policies to security operation management systems operating in other locations without changing to the security check target conditions described in the policy according to the management status of the previous asset and the information system to be checked・ Easy distribution.

Embodiment 2. FIG.
The second embodiment will be described with reference to FIGS.

FIG. 17 is an internal block diagram showing an example of the functional block configuration of the security operation management system 100 in this embodiment.
Note that portions common to the security operation management system 100 described in the first embodiment are denoted by the same reference numerals, and description thereof is omitted here.

The security operation management system 100 includes a plurality of target information database storage units 140a and 140b.
The target information database storage unit 140a has an attribute storage unit 141a, and the target information database storage unit 140b has an attribute storage unit 141b.

As described in the first embodiment, there is a case where another existing system stores the management target attribute information. In such a case, the existing other system is stored in the target information database storage unit 140 (attribute storage). By using as the unit 141), resources can be used effectively.
However, there are cases where information is insufficient only with the management target attribute information stored in another existing system.
For example, in the case where the target information database storage unit 140a is another existing system, the target information database storage unit 140b is configured to use a magnetic disk device 920 or the like for a portion where only the information stored in the target information database storage unit 140a is insufficient. Management object attribute information is stored using the storage device.
Alternatively, not only the target information database storage unit 140a but also the target information database storage unit 140b may use other existing systems so that the management target attribute information stored by both can be used.

  Further, even when the other existing system is not used as the target information database storage unit 140, the attribute storage unit 141 may be divided into a plurality of groups in order to facilitate information management and improve safety. . For example, this is a case where a part of the management target attribute information stored in the attribute storage unit 141 is disclosed.

  The security operation management system 100 in this embodiment includes a plurality of attribute storage units 141a and 141b for the reasons described above, for example.

FIG. 18 is a diagram illustrating a specific example of the extraction condition information 510 stored in the extraction condition storage unit 133 according to this embodiment.
Note that portions common to the extraction condition information 510 described in Embodiment 1 are denoted by the same reference numerals, and description thereof is omitted here.

  The extraction condition 513 is, for example, “(manager title. Target information database A = section manager or manager title. Target information database A = deputy manager or manager title. Target information database A = department manager) and device type. Target information database B Variable length character string data such as “= PC”. In this example, “.target information database A” indicates that the management target attribute information is stored in the attribute storage unit 141a, and “.target information database B” is stored in the attribute storage unit 141b. It shows that. For example, it is assumed that HR-related management target attribute information such as a manager's title is stored in the attribute storage unit 141a, and asset-related management target attribute information such as a device type is stored in the attribute storage unit 141b. As described above, by describing information indicating which attribute storage unit 141 should be referred to in the extraction condition 513, the management target attribute information can be quickly accessed. Further, when the attribute storage unit 141a and the attribute storage unit 141b store the same managed object attribute information in duplicate, it becomes clear which one should be accessed.

The security operation management system 100 (management apparatus) in this embodiment has a plurality of attribute storage units 141a and 141b.
Thereby, it becomes easy to divert the management target attribute information stored in another existing system, and resources can be effectively used. Moreover, safety can be improved by dividing and storing the management target attribute information.

  For example, the attribute storage unit 141a can store general user information (user name, affiliation, job title, etc.), and the attribute storage unit 141b can store device information such as PCs, servers, and network devices. is there.

The security operation management system 100 (management apparatus) in this embodiment instructs the attribute storage unit storing the management target attribute information in the management target extraction condition information (extraction condition information 510) stored in the extraction condition storage unit 133. A description is included.
This facilitates access to the management target attribute information stored in any one of the plurality of attribute storage units 141a and 141b, and refers to the management target attribute information stored in the plurality of attribute storage units 141a and 141b. A reference destination can be uniquely determined.

  In the security operation management system 100 described above, in the extraction condition 513 of the extraction condition information 510 stored in the target group database storage unit 130, not only the condition of the item to be checked but also a keyword specifying the target information database storage unit is described. It is characterized by being.

  As described above, the table structure and data structure of each target information database (target information database storage unit 140) for managing the target information is grasped, and the conditions based on the table structure and the data structure are determined as the target group table (target group database storage). Section 130), a flexible check target list can be obtained. For example, it is possible to acquire a check target list using an asset management system or a user information management system that has been operating in an information system.

Embodiment 3 FIG.
The third embodiment will be described with reference to FIGS.

FIG. 19 is a system configuration diagram showing an example of the overall configuration of network systems 800a and 800b in this embodiment.
The network system 800a and the network system 800b are similar to the network system 800 described in the first embodiment or the second embodiment.
The network system 800a includes a security operation management system 100a, client devices 200a to 200c, and a network 300a.
The network system 800b includes a security operation management system 100b, client devices 200d to 200f, and a network 300b.
The network system 800a and the network system 800b are systems that operate under a common security policy, and exist independently of each other. For example, the network system 800a and the network system 800b are in-house LANs that are independently operated in remote offices. The network system 800a and the network system 800b may be connectable via the Internet 940 or the like.

FIG. 20 is an internal block diagram showing an example of the functional block configuration of the security operation management system 100a and the security operation management system 100b in this embodiment.
Note that portions common to the security operation management system 100 described in the first embodiment are denoted by the same reference numerals, and description thereof is omitted here.

The security operation management system 100a and the security operation management system 100b further include a policy writing unit 150 and a policy reading unit 160.
It is not necessary for both the security operation management system 100a and the security operation management system 100b to have both the policy writing unit 150 and the policy reading unit 160. For example, the security operation management system 100a has the policy writing unit 150. However, the security operation management system 100b may not include the policy reading unit 160 but may include the policy reading unit 160 instead of the policy writing unit 150.

The policy writing unit 150 can distribute the policy definition information 530, the setting policy information 540, the execution action information 550, etc. stored in the policy database storage unit 120 to other security operation management systems using a processing device such as the CPU 911. Convert to format. The policy writing unit 150 uses the processing device such as the CPU 911 to output the converted data as distribution data.
Here, the distributable format is, for example, a file described in a format such as XML (Extensible Markup Language) or CSV (Comma Separated Values). In order to avoid eavesdropping or modification by a third party, encryption or electronic signature may be performed.

  The distribution data output by the policy writing unit 150 is recorded on a recording medium, for example, written in the CDROM by the CDD 905, and distributed to other security operation management systems. Alternatively, the distribution data output by the policy writing unit 150 may be distributed to other security operation management systems by being attached to an e-mail or transmitted by FTP (File Transfer Protocol). .

The policy reading unit 160 uses a processing device such as the CPU 911 to acquire distribution data output from the policy writing unit 150 of another security operation management system from a recording medium or an attached file of an e-mail.
The policy reading unit 160 restores the policy definition information 530, the setting policy information 540, the execution action information 550, and the like based on the acquired distribution data using a processing device such as the CPU 911, and restores the restored policy definition information 530 and setting. Policy information 540, execution action information 550, and the like are output.
The policy database storage unit 120 inputs the policy definition information 530, the setting policy information 540, the execution action information 550, and the like output from the policy reading unit 160 using a processing device such as the CPU 911. The policy database storage unit 120 stores input policy definition information 530, setting policy information 540, execution action information 550, and the like using a storage device such as a magnetic disk device 920.

  Here, the original information that the policy writing unit 150 converts into a format that can be distributed to other security operation management systems may include the action definition information 560 in addition to the above, but the extraction condition information 510 and the condition information It is assumed that the correspondence information 520 is not included. This is because even when the same security policy is applied, the extraction conditions of the group to be applied may differ because there are unique attributes in the security operation management system 100a and the security operation management system 100b. .

  Therefore, the policy administrator of the security operation management system that acquired the distribution data refers to the policy name 532 included in the acquired policy definition information 530 and the group to be associated with the policy definition information 530 and its extraction. Determine the conditions. The policy manager operates an input device such as the keyboard 902 to input information regarding a group to be associated with the policy definition information 530 and its extraction condition, and the security operation management system 100 uses a processing device such as the CPU 911. Based on the input information, the extraction condition information 510 and the condition correspondence information 520 are generated, and the target group database storage unit 130 stores them using a storage device such as the magnetic disk device 920.

FIG. 21 is a flowchart showing an example of a policy sharing process flow in which the security operation management system 100a and the security operation management system 100b share a security policy in this embodiment.
In this example, the security policy is shared by distributing the security policy stored in the security operation management system 100a to the security operation management system 100b.

The security operation management system 100a performs a policy acquisition step S51, a distribution data generation step S52, and a distribution data output step S53. This series of processing is called export processing.
In the policy acquisition step S51, the policy writing unit 150 of the security operation management system 100a distributes the policy definition information 530 stored in the policy database storage unit 120 to the security operation management system 100b using a processing device such as the CPU 911. Get target information.
In the distribution data generation step S52, the policy writing unit 150 of the security operation management system 100a uses the processing device such as the CPU 911 to convert the information acquired in the policy acquisition step S51 to generate distribution data.
In the distribution data output step S53, the policy writing unit 150 of the security operation management system 100a uses the processing device such as the CPU 911 to output the distribution data generated in the distribution data generation step S52 to a recording medium or the like.

  The distribution data is distributed to the security operation management system 100b by means such as transport of a recording medium or transmission via the Internet 940.

The security operation management system 100b performs a distribution data acquisition step S61, a policy restoration step S62, a policy storage step S63, and a group storage step S64. This series of processing is called import processing.
In the distribution data acquisition step S61, the policy reading unit 160 of the security operation management system 100b acquires distribution data from a storage medium or the like using a processing device such as the CPU 911.
In the policy restoration step S62, the policy reading unit 160 of the security operation management system 100b analyzes the distribution data acquired in the distribution data acquisition step S61 using a processing device such as the CPU 911, and restores the policy definition information 530 and the like.
In the policy storage step S63, the policy database storage unit 120 of the security operation management system 100b stores the policy definition information 530 restored by the policy reading unit 160 in the policy restoration step S62 using a storage device such as the magnetic disk device 920. To do.
In the group storage step S64, the target group database storage unit 130 uses a processing device such as the CPU 911 to obtain information such as a group extraction condition corresponding to the policy definition information 530 restored by the policy reading unit 160 in the policy restoration step S62. And the extraction condition information 510 and the like are generated based on the input information using a processing device such as the CPU 911, and the generated extraction condition information 510 and the like are stored using a storage device such as the magnetic disk device 920. To do.

  Thereby, the same security policy can be applied to the security operation management system 100a and the security operation management system 100b.

The security operation management system 100 described above is
When distributing a policy to another policy-based security operation management system, policy information excluding security check target information in the policy can be distributed.

  As described above, the policy can be distributed as electronic data to other security operation management systems. At that time, since the policy and the target group information are managed separately, it becomes easy to assign the target group information in the security operation management system of the distribution destination.

1 is a system configuration diagram illustrating an example of an overall configuration of a network system 800 according to Embodiment 1. FIG. FIG. 3 is a diagram illustrating an example of external appearances of a security operation management system 100 and client devices 200a to 200c in the first embodiment. FIG. 3 is a diagram illustrating an example of hardware resources of the security operation management system 100 and the client devices 200a to 200c according to the first embodiment. FIG. 3 is an internal block diagram illustrating an example of a functional block configuration of the security operation management system 100 according to the first embodiment. FIG. 3 is a diagram illustrating an example of information stored in the security operation management system 100 according to the first embodiment. 6 is a diagram illustrating a specific example of policy definition information 530 stored in a policy storage unit 121 according to Embodiment 1. FIG. FIG. 6 is a diagram showing a specific example of setting policy information 540 stored in the policy storage unit 121 according to the first embodiment. The figure which shows the specific example of the execution action information 550 which the execution action memory | storage part 122 in Embodiment 1 memorize | stored. FIG. 6 is a diagram showing a specific example of action definition information 560 stored by the execution action storage unit 122 according to the first embodiment. 6 is a diagram showing a specific example of extraction condition information 510 stored in the extraction condition storage unit 133 according to Embodiment 1. FIG. The figure which shows the specific example of the condition corresponding | compatible information 520 which the condition corresponding | compatible memory | storage part 132 in Embodiment 1 has memorize | stored. FIG. 10 is a diagram illustrating a specific example of attribute information 580 stored in the attribute storage unit 141 according to the first embodiment. FIG. 10 is a diagram showing a specific example of attribute definition information 570 stored in the attribute storage unit 141 according to the first embodiment. FIG. 3 is a flowchart showing an example of a flow of security check processing in which the security operation management system 100 according to the first embodiment checks the security of the network system 800. The flowchart figure which shows an example of the detail of the process of extraction condition acquisition process S13 in which the extraction condition acquisition part 112 in Embodiment 1 acquires the extraction condition information 510. The flowchart figure which shows an example of the detail of the process of the object list acquisition process S14 in which the management object extraction part 113 in Embodiment 1 acquires the list | wrist of the management object which satisfy | fills the extraction conditions 513. FIG. 6 is an internal block diagram illustrating an example of a functional block configuration of a security operation management system 100 according to a second embodiment. The figure which shows the specific example of the extraction condition information 510 which the extraction condition memory | storage part 133 in Embodiment 2 has memorize | stored. FIG. 9 is a system configuration diagram showing an example of the overall configuration of network systems 800a and 800b in a third embodiment. FIG. 10 is an internal block diagram illustrating an example of a functional block configuration of a security operation management system 100a and a security operation management system 100b according to a third embodiment. The flowchart figure which shows an example of the flow of the policy sharing process in which the security operation management system 100a and the security operation management system 100b in Embodiment 3 share a security policy.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 100 Security operation management system, 110 Security check part, 111 Policy acquisition part, 112 Extraction condition acquisition part, 113 Management object extraction part, 114 State acquisition part, 115 Policy violation extraction part, 116 Action acquisition part, 117 Action execution part, 120 Policy database storage unit, 121 Policy storage unit, 122 Execution action storage unit, 130 Target group database storage unit, 132 Condition correspondence storage unit, 133 Extraction condition storage unit, 140 Target information database storage unit, 141 Attribute storage unit, 150 Policy document Output unit, 160 policy reading unit, 200 client device, 300 network, 510 extraction condition information, 511, 523 group ID, 512 group name, 513 extraction condition, 520 condition correspondence information 521 Corresponding ID, 522, 531, 542 Policy ID, 530 Policy definition information, 532 Policy name, 533 Status, 540 Setting policy information, 541, 552 Setting ID, 543 Setting name, 544 Security condition, 550 Execution action information, 551 Action ID, 553, 561 Program ID, 554 Parameter, 555 Name, 556 Value, 560 Action Definition Information, 562 Action Name, 563 Program Call Name, 570 Attribute Definition Information, 571, 583 Attribute ID, 572 Attribute Type, 573 Target Type 574 Attribute name, 580 Attribute information, 581 Item ID, 582 Target ID, 584 Attribute value, 800 Network system, 901 Display device, 902 Keyboard, 903 Ma , 904 FDD, 905 CDD, 906 Printer device, 907 Scanner device, 910 System unit, 911 CPU, 912 bus, 913 ROM, 914 RAM, 915 communication device, 920 magnetic disk device, 921 OS, 922 window system, 923 program group , 924 file group, 931 telephone, 932 facsimile machine, 940 Internet, 941 gateway, 942 LAN.

Claims (5)

In a management device that has a storage device that stores information and a processing device that processes information, and manages the management target so as to satisfy the security policy.
A security policy storage unit, an attribute storage unit, an extraction condition storage unit, an execution action storage unit, a management target extraction unit, a state acquisition unit, a policy violation extraction unit, and an action execution unit;
The security policy storage unit uses the storage device to store security condition information describing conditions that the management target should satisfy,
The attribute storage unit uses the storage device to store management target attribute information describing the management target attribute,
The extraction condition storage unit stores management target extraction condition information that describes a condition for extracting a management target that should satisfy the conditions described in the security condition information, using the storage device,
The execution action storage unit stores, using the storage device, execution action information describing an action to be executed when the management target does not satisfy the condition described in the security condition information,
The management target extraction unit uses the processing device to manage the conditions described in the management target extraction condition information stored in the extraction condition storage unit based on the management target attribute information stored in the attribute storage unit Extract the target,
The status acquisition unit acquires the status of the management target for the management target extracted by the management target extraction unit using the processing device,
The policy violation extraction unit extracts a management target that does not satisfy the condition described in the security condition information stored in the security policy storage unit based on the state acquired by the state acquisition unit using the processing device. And
The action execution unit executes an action described in the execution action information stored in the execution action storage unit for the management target extracted by the policy violation extraction unit using the processing device. apparatus. The management device further includes a condition correspondence storage unit and an extraction condition acquisition unit,
The security policy storage unit stores a plurality of security condition information using the storage device,
The extraction condition storage unit stores a plurality of management target extraction condition information using the storage device,
The condition correspondence storage unit uses the storage device, and among the plurality of security condition information stored in the security policy storage unit, the condition described in each of the plurality of management target extraction condition information stored in the extraction condition storage unit Storing the security condition information describing the condition to be satisfied by the management target extracted by the above and the condition correspondence information describing the correspondence between the management target extraction condition information,
The extraction condition acquisition unit satisfies the conditions described in each of the plurality of security condition information stored in the security policy storage unit based on the condition correspondence information stored in the condition correspondence storage unit using the processing device. The management target extraction condition information describing the condition for extracting the power management target is acquired from among the plurality of management target extraction condition information stored in the extraction condition storage unit,
The management object extraction unit uses the processing device to extract the extraction condition acquisition unit for each of a plurality of security condition information stored in the security policy storage unit based on the management target attribute information stored in the attribute storage unit. The management apparatus according to claim 1, wherein a management target that satisfies the conditions described in the management target extraction condition information acquired by the server is extracted. The management device according to claim 1 or 2,
A network system comprising: a target device that is a management target of the management device.   A program that causes a computer having a storage device that stores information and a processing device that processes information to function as the management device according to claim 1 or 2. In a management method in which a management device having a storage device for storing information and a processing device for processing information manages so that a management target satisfies a security policy,
The storage device
Security condition information describing the conditions that the management target must satisfy;
Management target attribute information describing the attributes of the management target, and
Management object extraction condition information describing conditions for extracting a management object that satisfies the conditions described in the security condition information;
Storing execution action information describing an action to be executed when the management target does not satisfy the condition described in the security condition information;
The processing device
Based on the management target attribute information stored in the storage device, extract a management target that satisfies the conditions described in the management target extraction condition information stored in the storage device,
Obtain the status of the management target for the extracted management target,
Based on the acquired state, extract the management target that does not satisfy the conditions described in the security condition information stored in the storage device,
A management method characterized by executing an action described in the execution action information stored in the storage device for the extracted management target.

Images