JP2018128856A - Controller, control method, and system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To enhance security relative to leakage of data held by a smart device.SOLUTION: A controller 30 makes a smart device for holding data perform state transition between a normal use state and a plurality of leakage protection states in which importance for preventing leakage of data differs from each other, and includes monitoring means 35 for monitoring generation of events in need of erasing and nullification of data, and control means 36 for making the smart device perform state transition from the normal use state to the leakage protection state when generation of an event in need of erasing and nullification of data is detected.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a control apparatus, a control method, and a system, and more particularly to prevention of information leakage of a smart device.

  When a smart device is used for business, information leakage due to extraction of business data, files, cache information, etc. stored inside the smart device due to unauthorized access or theft becomes a problem. The business data, files, cache information, etc. stored in the smart device are hereinafter referred to as contents.

  Normally, content (business data, etc.) taken outside the smart device is loaded into the smart device encryption area (or content encryption included) at the preparatory stage (downloading from the server) before taking out the content. The server keeps track of the status of taking out.

  In addition, if an event such as unauthorized access or theft occurs for smart devices and contents taken out of the company, terminal usage is disabled (certificate deletion or terminal lock) and contents are deleted by server control (remote control). -Generally, there are a mechanism for invalidation (remote wipe) and a mechanism for deleting all internal data areas of smart devices (excluding the operating system) by local wipe.

  Patent Document 1 relates to data sharing between a plurality of mobile terminals, and when detecting disconnection of a shared session with another mobile terminal in a shared network, electronic data stored in the mobile terminal may be deleted. Proposed. In Patent Literature 1, data leakage is suppressed by such monitoring control.

JP2015-49572A

  However, there are the following problems in the information leakage prevention of the background art described above.

  The first problem is that when smart devices are used for business, unauthorized access, theft or loss occurs, the SIM (Subscriber Identify Module) etc. is disconnected and the communication environment is not good (offline state) The content inside the smart device cannot be controlled.

  The second problem is that customers cannot be concerned about encryption alone. When the smart device usage environment transitions to offline (incommunicable state), it is impossible to confirm whether data has been leaked, or even if the data is encrypted, the customer's anxiety cannot be paid. Content encryption is an effective mechanism for preventing information leakage against unauthorized access (rooting, etc.) and theft / loss. However, if the smart device usage environment transitions to offline (incommunicable state), data leakage will occur. Cannot check for presence.

  Content such as remote wipe, remote lock, and terminal-side use invalidation by certificate deletion on the server side in the background technologies such as MDM (Mobile Device Management) / MAM (Mobile Application Management) / MCM (Mobile Contents Management) A mechanism for erasure / invalidation (content collection) is common. However, all of these mechanisms are based on the premise that smart devices are used in a communicable state (online environment), so if the communication is not possible or the communication environment is not good (offline state), it will be smart from a remote location. This is because access to the device and means for controlling the content are lost.

  The third problem is that when the smart device detects the timing when content deletion is necessary (except for rooting) due to the user's mistaken operation, the internal data area of the smart device is completely deleted, and smart device usage is resumed due to recovery, etc. Is very time-consuming (not convenient).

  There is a mechanism of deleting all internal data areas of smart devices (excluding the Operating System) by local wipe, which is the background technology, but this mechanism exceeds the “number of incorrect ID / password input times” preset in the terminal. It will function. For this reason, even if the user himself / herself is erroneously operated, all the data is deleted when the same condition is exceeded, so it takes a lot of time to resume the use of the smart device after recovery, such as recovery / resetting.

  An object of the present invention is to provide a control device, a control method, and a system capable of enhancing security related to information leakage of data held by a smart device.

In order to achieve the above object, the control device according to the present invention provides a state in which a smart device that holds data is in a normal use state and a plurality of leak prevention states having different importance levels for preventing the data leakage. A control device for state transition in
Monitoring means for monitoring the occurrence of an event that requires erasure or invalidation of the data;
When detecting the occurrence of an event that requires erasure or invalidation of the data, control means for causing the smart device to transition from the normal use state to the leakage prevention state;
including.

The control method according to the present invention is a control method for causing a state transition of a smart device holding data between a normal use state and a plurality of leakage prevention states having different importance levels for preventing the data leakage. There,
Monitor the occurrence of events that require erasure or invalidation of the above data,
When the occurrence of an event that requires erasure or invalidation of the data is detected, the smart device is transitioned from the normal use state to the leak prevention state.

A system according to the present invention includes a server and a smart device that communicates with the server and holds data,
The smart device
A control device that changes the state of the smart device between a normal usage state and a plurality of leakage prevention states having different importance levels for preventing the leakage of the data, wherein the data is erased or invalidated. Monitoring means for monitoring the occurrence of a necessary event; and control means for causing the smart device to transition from the normal use state to the leakage prevention state when the occurrence of an event that requires erasure or invalidation of the data is detected. , Including a control device.

  The present invention can enhance security related to information leakage of data held by a smart device.

(A) is a block diagram for explaining an information processing device for an embodiment according to a superordinate concept of the present invention, and (b) is a block diagram for explaining a control device of an embodiment according to a superordinate concept of the present invention. It is. It is a block diagram for demonstrating an example of the system by embodiment of this invention. FIG. 3 is a block diagram illustrating a configuration example of a smart device in FIG. 2. FIG. 4 is a functional block diagram illustrating a configuration example of a CPU and a memory of the smart device in FIG. 3. FIG. 3 is a state transition outline diagram illustrating an example of a control state of the smart device in FIG. 2. 3 is a flowchart for explaining a synchronization operation between the smart device of FIG. 2 and a server. It is a flowchart for demonstrating operation | movement of the control apparatus of 1st Embodiment of this invention. It is a flowchart for demonstrating operation | movement of the control apparatus of 1st Embodiment of this invention. It is a flowchart for demonstrating operation | movement of the control apparatus of 1st Embodiment of this invention. It is a flowchart for demonstrating operation | movement of the control apparatus of 1st Embodiment of this invention. It is a flowchart for demonstrating operation | movement of the control apparatus of 1st Embodiment of this invention. It is a flowchart for demonstrating operation | movement of the control apparatus of 1st Embodiment of this invention. It is a flowchart for demonstrating the control processing of secondary data leakage prevention by the control apparatus of 1st Embodiment of this invention. It is a flowchart for demonstrating the control processing of tertiary data leakage prevention by the control apparatus of 1st Embodiment of this invention. It is a flowchart for demonstrating the control processing of quaternary data leakage prevention by the control apparatus of 1st Embodiment of this invention. It is a flowchart for demonstrating operation | movement of the control apparatus of 2nd Embodiment of this invention. It is a flowchart for demonstrating operation | movement of the control apparatus of 2nd Embodiment of this invention. It is a flowchart for demonstrating operation | movement of the control apparatus of 2nd Embodiment of this invention. It is a flowchart for demonstrating operation | movement of the control apparatus of 2nd Embodiment of this invention. It is a flowchart for demonstrating operation | movement of the control apparatus of 2nd Embodiment of this invention. It is a flowchart for demonstrating operation | movement of the control apparatus of 2nd Embodiment of this invention. It is a flowchart for demonstrating operation | movement of the control apparatus of 2nd Embodiment of this invention. It is a flowchart for demonstrating operation | movement of the control apparatus of 1st Embodiment of this invention. It is a flowchart for demonstrating the control processing of secondary data leakage prevention by the control apparatus of 2nd Embodiment of this invention. It is a flowchart for demonstrating the control processing of tertiary data leakage prevention by the control apparatus of 2nd Embodiment of this invention. It is a flowchart for demonstrating the control processing of quaternary data leakage prevention by the control apparatus of 2nd Embodiment of this invention.

  Before describing preferred embodiments of the present invention, the terminology used in the specification will be explained.

(Content multi-level defense)
“Content multi-level defense” means that information leakage prevention control is performed step by step according to the urgency (security level) of security measures (data leakage prevention measures) (Considering both security and convenience). For example, “Rooting operation” is a very high security level in which security measures need to be urgently implemented in “Conditions for Determining Deletion / Invalidation of Content in Smart Devices” .

(Access outside usage rights)
“Non-usable access” refers to attribute information (hereinafter referred to as content attribute; synonymous with metadata) used when operating business data (hereinafter referred to as content) in a company. It contains information such as date / time, content identifier, usage range, and usage range information includes “users available”, “use ranges (users or groups)”, and “privileges granted to users” ”,“ Expiration date ”,“ available application ”, and the like. When content other than the usage range setting information is used (accessed), it is defined as “(access to content) unauthorized access”.

(Normal use state)
The “normal use state” is a state in which a user who is given a use right uses a smart device in accordance with a management / operation policy established by a company. Main control in the normal use state is monitoring of “content erasure / invalidation timing” and detection of the same timing. When the “content erasure / invalidation timing” is detected, the smart device or the content is controlled according to the content multi-level defense policy table, and a transition is made to the corresponding data leakage prevention state.

(Primary data leakage protection status)
“Primary data leakage prevention state” means, for example, when the offline state (the communication disabled state or the communication environment is not good) that is “content erasure / invalidation timing” in the normal use state is detected. This means a state of waiting for input of authentication information for performing off-line authentication when accessing the contents list and contents stored in an area where security is ensured and monitoring of unauthorized login operations of the user.

  The main control in the primary data leakage protection state is monitoring of the conditions for transitioning to the “next data leakage protection state” or the normal use state (monitoring of “content erasure / invalidation timing”) and offline authentication. When the content erasure / invalidation timing is detected, the smart device or content is controlled in accordance with the content multi-level defense policy table, and a transition is made to the corresponding next data leakage prevention state. Further, when the online state is detected, the offline authentication is canceled and the state transits to the normal use state.

(Secondary data leakage prevention status)
“Secondary data leakage prevention state” means, for example, that the smart device cannot be operated or the content cannot be accessed by the control after detection of “content erasure / invalidation timing” in the normal use state or the primary data leakage prevention state. Means state. As this state, an application lock state, a terminal lock state, etc. are assumed.

  The main control in the secondary data leakage protection state is monitoring of conditions for transitioning to the “next data leakage protection state” (“content erasure / invalidation timing”, expiration of timer value, etc.). When the content erasure / invalidation timing detection or state transition condition expiration detection is performed, the smart device or content is controlled according to the content multi-stage protection policy table, and the state transits to the corresponding next data leakage protection state. Moreover, when the defense state cancellation | release is received from the server, the state transition conditions set in this defense state are reset, and it changes to a normal use state.

(Tertiary data leakage protection status)
“Tertiary data leakage prevention state” means that when the content erasure / invalidation timing is detected in the normal use state or the primary data leakage prevention state, for example, by control after detecting “expiration of secondary data leakage prevention condition” This means that the content inside the smart device has been erased. Possible content erasures include content unit erasure, user area erasure, and business area erasure when using BYOD (Bring Your Own Device).

  The main control in the tertiary data leakage protection state is monitoring of conditions for transitioning to the “next data leakage protection state” (“content erasure / invalidation timing”, expiration of timer value, etc.). When the content erasure / invalidation timing detection or state transition condition expiration detection is performed, the smart device or content is controlled according to the content multi-stage protection policy table, and the state transits to the corresponding next data leakage protection state. Moreover, when the defense state cancellation | release is received from the server, the state transition conditions set in this defense state are reset, and it changes to a normal use state.

(4th data leakage protection status)
The “quaternary data leakage prevention state” means that the content erasure / invalidation timing is detected in the normal use state or the primary data leakage prevention state, or by the control after the detection of “tertiary data leakage prevention state condition expiration”, for example. This means that the contents inside the smart device have been permanently erased.

  The main control in the quaternary data leakage protection state is that when the rooting operation is detected in the normal use state or the primary data leakage protection state, or the quaternary data leakage protection state is detected when the tertiary data leakage protection state transition condition expiration is detected. Transition and unrecoverable erasure of all data inside the smart device. Note that all the data inside the smart device to be erased here means all data (applications, policy data, etc.) excluding the OS (Operating System) inside the smart device. Then, after the erasure process is completed, the smart device state is changed to the smart device initialization state.

(Smart device initialization status)
The “smart device initialization state” refers to a state in which, in the “quaternary data leakage prevention state”, all data except for the OS inside the smart device has been erased. This state refers to a state before the factory shipment of the smart device, that is, a state before kitting in the factory shipment. There is no particular control in the smart device initialization state, but the smart device that has entered the smart device initialization state is reused. Specifically, in order to restore the normal use state described above, policies, applications, and content can be reinstalled. is necessary.

(Content multi-level defense policy table)
Conditions for determining whether to erase / invalidate content in a smart device, and range of erasure / invalidation for controlling content in multiple stages (content unit erase, user area erase, business area erase (when using BYOD)) ) And other definition information. In the smart device, first, after activation, a content multi-level defense policy table is registered. The conditions in this table differ depending on the operating policy such as IT (Information Technology) usage rules in the company, but as an example of this description, the following conditions are defined here.
● Unauthorized access:
Number of incorrect ID / password input (illegal login operation)
Offline authentication failure count (unauthorized access operation)
Rooting operation etc. ● Theft / Lost:
SIM card removal (SIM card removal operation)
Bluetooth (registered trademark) / WiFi disconnection (Bluetooth (registered trademark) / WiFi disconnection operation)
* In the above operation detection, theft / loss is a combination of conditions such as location information of smart devices (use) and input of allowable time required for recovery (SIM card insertion) in accordance with operational policies such as IT usage regulations at companies. Make a decision.
● Normal access / semi-normal access:
<The following conditions are also included when accessing the server>
Excessive access to content (operation policy violation)
Content attribute change (operation policy violation)
Unauthorized access operation (operation policy violation)
In addition, this table is registered at the time of initial setting and at the time of setting change accompanying operation method (condition) change.

  Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the drawings.

[First Embodiment]
First, the control device, control method, and system according to the first embodiment of the present invention will be described. The present embodiment relates to control that performs multi-stage defense when a smart device to which a control device is applied moves from an online environment to an offline environment. Here, the online environment of the smart device refers to a state in which communication between the smart device and the server is possible. The smart device offline environment refers to a state where communication between the smart device and the server is not possible or a communication environment between the smart device and the server is not good. It is assumed that remote control from the server to the smart device is disabled in the smart device offline environment.

(Constitution)
Referring to FIG. 2, the system according to the first embodiment of the present invention includes a smart device 1, a radio access network (RAN) or WiFi access point (AP) 10, lines 11 and 12, an Internet or Intra Network (IN). ) 100 and the server 20.

  Here, the server 20 is a generic term for a cloud service contracted by a company, an in-company server, and the like.

  The smart device 1 has MDM (Mobile Device Management) / MAM (Mobile Application Management) / MCM (Mobile Contents Management) functions. As illustrated in FIG. 3, the smart device 1 includes a User Equipment (UE) 2, a User Identity Module (UIM) 3, and an antenna 7. The UE 2 of the smart device 1 includes a radio unit / control unit 4, a CPU (central processing unit; processor; data processing unit) 5 that operates by program control, and a memory 6.

  The smart device 1 in FIG. 2 shows a case of a mobile communication model such as 3G / LTE (3rd Generation / Long Term Evolution). If the smart device is a WiFi model, the UIM 3 in FIG. 2 is not necessary.

  As shown in FIG. 4, the CPU 5 of the smart device 1 includes a UI control processing unit 502, a policy setting control unit 503, a content erasure timing monitoring / detection processing unit 504, a state transition condition monitoring processing unit 505 using a timer, and an offline device. An authentication processing unit 506 is included. Furthermore, the CPU 5 of the smart device 1 includes a terminal lock / application lock control processing unit 507, a content deletion control processing unit 508, a content deletion tool control / processing unit 509, a data leakage prevention release processing unit 510, a data synchronization processing unit 511, and data transmission / reception. A processing unit 512 and a function state management unit / function control unit 501 are included.

  The offline authentication processing unit 506 is used for primary data leakage prevention described later. The terminal lock / application lock control processing unit 507 is used for secondary data leakage prevention described later. The content erasure control processing unit 508 is used for tertiary data leakage prevention described later. The content erasure tool control / processing unit 509 is used for the fourth data leakage prevention described later. Note that the content erasure by the content erasure tool control / processing unit 509 performs irrecoverable erasure as described later.

  The data transmission / reception processing unit 512 performs data transmission / reception including reception of a protection state release notification for recovering from a primary data leakage protection state to a tertiary data leakage protection state, which will be described later.

  The memory 6 of the smart device 1 includes a security ensuring area 61 as shown in FIG. The security ensuring area 61 of the memory 6 includes a content multi-stage control policy 62, a content attribute / main body 63, and a content list 64, as shown in FIG.

  The content multi-level control policy 62 is a condition for determining whether to erase or invalidate content in the smart device, or an erase / invalidation range for controlling content in multiple stages (content unit erase, user area erase, Definition information such as business area deletion (when using BYOD)).

  When the smart device usage environment is an online environment, the smart device 1 downloads content (business data such as forms and customer information) to be taken out of the company after startup from the server 20, and the content attributes and content in the memory 6 The content attribute / main body 63 as the main body is stored. At this time, the smart device 1 creates a downloaded content list 64 and performs data synchronization with the server 20. As a result, the content carry-out status is controlled and managed by the server 20, and the smart device 1 also manages the same information.

  In an online environment, data synchronization is performed between the smart device 1 and the server 20 when content information is updated or periodically. The data synchronization operation between the smart device and the server will be described in more detail with reference to FIG. The smart device 1 downloads and stores content when the smart device usage environment is an online environment (S1). Here, the attribute information is the same as that of the server 20 that is the download source. Completion of content storage is confirmed (S2), and when the storage is completed, a content list is generated (S3). The completion of content list generation is confirmed (S4), and when the generation is completed, the content list is stored in the memory 6 (S5). The storage completion of the content list is confirmed (S6). When the storage is completed, the smart device 1 performs data synchronization with the server 20 (S7). Completion of data synchronization is confirmed (S8). When synchronization is completed, data synchronization completion information is registered (S9). Next, the smart device user is notified by a technique including content list display (S10). And the smart device 1 will be in a normal use state (S11).

(State transition control by controller)
An outline of the state transition control by the control device of the present embodiment will be described with reference to the state transition diagram of FIG.

  When the smart device 1 taken out of the company detects that the condition 1 is satisfied, the system state is changed to the “primary data leakage prevention state”. Here, the condition 1 is detection of a communication disabled state in the “normal use state” or a state where the communication environment is not good (offline state), and detection of a communication path disconnection operation. An example of the communication path disconnection operation is an operation to set the airplane mode. This “Primary data leakage prevention state” is an operation that performs unauthorized login operation monitoring for login to the smart device and offline authentication when accessing a content list and content stored in a secure area. Become.

  In “Primary data leakage prevention state”, if the authentication result is OK in the offline authentication after successful login to the smart device, the state transitions to the normal use state, and at the end of use, the smart device logs in / offline Wait for authentication input information. Further, when detecting the return of the smart device usage environment to the online environment, the offline authentication is canceled (the primary data leakage prevention state is canceled), and the system state is changed to the “normal usage state”.

  Next, when the login to the smart device fails in the “primary data leakage prevention state” and the satisfaction of the condition 2 is detected, the system state is changed to the “secondary data leakage prevention state”. Here, condition 2 is an excessive number of erroneous ID / password inputs, an excessive number of offline authentication failures, a SIM card removal, and the like. After transitioning to the “secondary data leakage prevention state”, the conditions for transitioning to the “third data leakage prevention state” are monitored (“content erasure / invalidation timing”, timer value expiration, etc.). That is, it waits for the transition to the tertiary data leakage protection state.

  Next, when the satisfaction of the condition 3 is detected in the “secondary data leakage prevention state”, the system state is changed to the “third data leakage prevention state”. Here, the condition 3 is expiration of a state transition condition such as a timer value or removal of a SIM card. In the “tertiary data leakage prevention state”, the erasure process is performed according to the erasure / invalidation range (content unit erasure, user area erasure, and business area erasure (when using BYOD)) of the content multi-level defense policy table. Furthermore, the conditions for transition to the “quaternary data leakage prevention state” are monitored (“content erasure / invalidation timing”, timer value expiration, etc.). That is, it waits for the transition to the quaternary data leakage protection state.

  Next, when the satisfaction of the condition 4 is detected in the “tertiary data leakage prevention state”, the system state is changed to the “quaternary data leakage prevention state”. Here, condition 4 is expiration of state transition conditions such as a timer value, rooting operation, and the like. In the “quaternary data leakage prevention state”, a tool that makes it impossible to restore erased data installed in the smart device in advance is controlled. By this control, all data (contents, applications, policy data, etc.) except the OS inside the smart device is erased in an unrecoverable manner. After this erasure is completed, the system state is changed to the smart device initialization state. The smart device initialization state is a pre-factory state of the smart device.

  When the smart device 1 taken out of the company detects that the condition 5 is satisfied, it is assumed that the system state is changed to the “tertiary data leakage prevention state”. Here, condition 5 is “SIM card removal operation”. If the “SIM card removal operation” is detected in consideration of the possibility of the (non-malicious) “SIM card removal operation” by the user himself or a maintenance worker permitted by the user himself / herself, the CPU 5 uses the IT in the company. When the input of the allowable time required for the recovery (SIM card insertion) according to the operating policy such as regulations is prompted and the input of the allowable time in the operating policy (the time determined in advance by the operating policy) is detected, No transition to "Tertiary data leakage protection state".

  When the smart device 1 taken out of the company detects that the condition 6 is satisfied, the system state is changed to the “quaternary data leakage prevention state”. Here, condition 6 is a rooting operation. In the “quaternary data leakage prevention state”, a tool that makes it impossible to restore erased data installed in the smart device in advance is controlled. By this control, all data (contents, applications, policy data, etc.) except the OS inside the smart device is erased in an unrecoverable manner. After this erasure is completed, the system state is changed to the smart device initialization state.

  In the “tertiary data leakage prevention state”, if the condition is satisfied, the state transition can be made to “normal use state” or “primary data leakage prevention state”. As understood from FIG. 5, when the satisfaction of the condition 4 or the condition 6 is detected, the system state is changed to the “quaternary data leakage prevention state”, and the “normal use state” is changed from the “quaternary data leakage prevention state”. It is not possible to make a state transition to.

(Operation when smart device 1 is taken out of office)
Next, operations of the smart device 1 and the server 20 when the smart device 1 is taken out of the office will be described with reference to flowcharts.

  The smart device 1 taken out of the company monitors the content erasure / invalidation timing after the normal use state (S21) (S22). When the CPU 5 detects an incommunicable state or an unsatisfactory communication environment (offline state) in the “normal use state” (YES in S23), “offline authentication” is activated (S24), and the authentication is waited. This offline authentication is an operation required when accessing a content list and content stored in an area where security is ensured. Further, the system state is changed to the “primary data leakage prevention state” (S25), and online detection is confirmed (S26). For example, when the smart device 1 is successfully logged in by an operation of the user of the smart device 1 and the authentication result is OK in the subsequent offline authentication (YES in S26), the “offline authentication” is canceled (S27), Return to the normal use state (S21).

  After the state transition to the “primary data leakage protection state” (S25), the start of smart device use (login) is confirmed (S28). When the start of using the smart device has been confirmed (YES in S28), the process proceeds to the process (1) specifically shown in FIG. When the start of using the smart device cannot be confirmed (NO in S28), the SIM card removal is detected (S29). When the removal of the SIM card is not detected (NO in S29), the process proceeds to confirmation of the start of smart device utilization (login) (S28). When the removal of the SIM card is detected (YES in S29), the process proceeds to the process (2) specifically shown in FIG. 9A.

  In the process (1) specifically shown in FIG. 8, it is confirmed whether there is no problem in the authentication using the ID or password input by the user (S101). It is confirmed whether there is a problem with the authentication using the ID or password input by the user and the number of times of authentication failure has been exceeded (S102). Until the number of times of authentication failure exceeds, confirmation of authentication by ID or password (S101) is repeated. When the number of occurrences of the authentication failure is exceeded (YES in S102), a “secondary data leakage prevention” control process is performed (S103). Thereafter, the process proceeds to the process (3) specifically shown in FIG. 9B.

  If there is no problem with the ID or password entered by the user (NO in S101) in the confirmation of authentication by ID or password (S101), a communication means disconnection operation is detected (S104). Here, the communication means disconnection operation may be, for example, an operation for setting the airplane mode by the user. When the communication means disconnection operation is detected, “offline authentication” is continuously operated (S112). Due to the continuous operation of “offline authentication”, the state of waiting for authentication continues. If no communication means disconnection operation is detected, the presence / absence of access to the secure area is confirmed (S105). When there is no access to the secure area, the “primary data leakage protection state” is held (S113). Further, when the SIM card removal is detected (S114) and the SIM card removal is detected (YES in S114), the process proceeds to the process (2) specifically shown in FIG. 9A.

  When the removal of the SIM card is not detected (NO in S114), the presence / absence of rooting operation to the smart device 1 is detected (S115). When the rooting operation is not detected, the process proceeds to the communication means disconnection operation detection (S104). When the rooting operation to the smart device 1 is detected, the process proceeds to the process (5) specifically shown in FIG. 10B.

  When the communication means disconnection operation is not detected (NO in S104) and the secure area is accessed (NO in S105), the “offline authentication” process is started (S106). The success or failure of the offline authentication is confirmed (S107), and when the offline authentication is successful (NO in S107), access to the “secure area” is permitted (S109). Allowing access to the “secure area” means that access to the “secure area” can be used offline.

  Thereafter, the presence / absence of an operation policy violation is detected. When an operation policy violation is detected (YES in S110), the process proceeds to the “secondary data leakage prevention” control process (S103). When no operation policy violation is detected (NO in S110), the end of use of the smart device 1 is confirmed (S111). If the use end of the smart device 1 is not confirmed, the process moves to the “secure area” access permission (S109). When the end of use of the smart device 1 is confirmed, the process returns to the beginning of the flowchart of FIG. 8 in order to resume use of the smart device 1.

  Next, the process (2) performed after the SIM card removal is detected will be described with reference to the flowchart of FIG. 9A. An input request for “recovery time (time required for SIM card insertion)” which is a time required for returning to the state where the extracted SIM card is inserted is made (S201). Furthermore, the validity of the input value of the recovery time input to the smart device 1 is confirmed (S202). When the input value of the input recovery time is valid, the “SIM removal” state is confirmed (S204). When the SIM card is restored and the “SIM removal” state is completed, the process returns to the process (1) specifically shown in FIG.

  When the “SIM removal” state is confirmed (YES in S204), it is confirmed whether the inputted “recovery time” has expired (S205). While the inputted “recovery time” has not expired, the confirmation of the “SIM removal” state (S204) is repeated. When the “recovery time” has expired (YES in S205), a “secondary data leakage prevention” control process is performed (S203). A more specific content of the “secondary data leakage prevention” control process is shown in FIG. 11A described later.

  The process (3) performed after the “secondary data leakage prevention” control process (S103) of FIG. 8 will be described with reference to the flowchart of FIG. 9B.

  It is confirmed whether secondary defense state cancellation is necessary (S301). The user of the smart device 1 contacts the administrator by some means, and moves the smart device 1 to the online environment (S302). The server 20 waits for a defense status release notification from the server 20 (S303) and confirms receipt of the release notification (S304). When it is confirmed that the release notification has been received, the defense state is released (S305). This defense state cancellation includes unlocking and offline authentication cancellation. Then, the state transitions to the “normal use state” (S306).

  When it is not necessary to cancel the secondary protection state (NO in S301), the transition condition to the “tertiary data leakage protection state” is monitored (S307). The transition condition to the “tertiary data leakage protection state” is based on a timer value or the like. The expiration of the state transition condition to the “tertiary data leakage protection state” is confirmed, and the expiration confirmation of the state transition condition to the “tertiary data leakage protection state” is repeated while the expiration is not completed. When the expiration of the state transition condition to the “tertiary data leakage protection state” is confirmed (YES in S308), the “tertiary data leakage prevention” control process is performed (S309). More specific contents of the “tertiary data leakage prevention” control process are shown in FIG. 11B described later. Thereafter, the process proceeds to the process (4) specifically shown in FIG. 10A.

  The process (4) performed after the “tertiary data leakage prevention” control process (S309) of FIG. 9B will be described with reference to the flowchart of FIG. 10A.

  It is confirmed whether the tertiary defense state needs to be canceled (S401). The user of the smart device 1 contacts the administrator by some means and moves the smart device 1 to the online environment (S402). It waits for a defense status release notification from the server 20 (S403) and confirms receipt of the release notification (S404). When receipt of the release notification is confirmed, the defense state is released (S405). This defense state cancellation includes unlocking and offline authentication cancellation. Then, the state transitions to the “normal use state” (S406).

  When it is not necessary to cancel the tertiary protection state (NO in S401), the transition condition to the “quaternary data leakage protection state” is monitored (S407). The transition condition to the “quaternary data leakage protection state” is based on a timer value or the like. The expiration of the state transition condition to the “quaternary data leakage protection state” is confirmed, and the expiration confirmation of the state transition condition to the “quaternary data leakage protection state” is repeated while the state transition condition has not expired. When the expiration of the state transition condition to the “quaternary data leakage prevention state” is confirmed (YES in S408), “quaternary data leakage prevention” control processing is performed (S409). A more specific content of the “quaternary data leakage prevention” control process is shown in FIG. 11C described later.

  The process (5) performed after the rooting operation of FIG. 8 is detected (YES in S115) will be described with reference to the flowchart of FIG. 10B. In this case, a “quaternary data leakage prevention” control process is performed (S501).

  FIG. 11A shows more specific processing contents of the “secondary data leakage prevention” control processing in S103 and S203. “Secondary data leakage prevention” control processing is started, and “lock control” is activated. This “lock control” is terminal lock or application lock. Next, the state transitions to the “secondary data leakage prevention state”. Next, a transition condition to the “tertiary data leakage prevention state”, such as a timer value, is set and monitored.

  FIG. 11B shows more specific processing contents of the “tertiary data leakage prevention” control processing of S309. “Tertiary data leakage prevention” control processing is started, and “content erasure” is activated based on the erasure range definition information. Next, the state transitions to the “tertiary data leakage prevention state”. Next, a transition condition to the “quaternary data leakage prevention state”, such as a timer value, is set and monitored.

  FIG. 11C shows more specific processing contents of the “quaternary data leakage prevention” control processing of S409. The “quaternary data leakage prevention” control process is started, and the state transitions to the “quaternary data leakage prevention state”. Unrecoverable erasure is performed on all data inside the smart device 1 except the OS. Next, the state transitions to the “initialized state”. This “initialized state” refers to a state before shipment from the factory.

(Effect of 1st Embodiment)
In the smart device 1 to which the control device of this embodiment is applied, security enhancement (information leakage prevention) is possible.

  The reason is that in unauthorized access (such as rooting) and inability to remotely control smart devices (incommunicable state with SIM removed due to theft, loss, etc. or communication environment is not good (offline state)), etc. This is because content control inside the smart device becomes possible. Furthermore, it is possible to provide (implement) a service with further enhanced security (information leakage prevention) by performing detailed condition setting and data protection.

  Furthermore, in the smart device 1 to which the control device of the present embodiment is applied, it is possible to improve customer (smart device user) satisfaction with a safe and secure use environment.

  The reason is that in unauthorized access (such as rooting) and inability to remotely control smart devices (incommunicable state with SIM removed due to theft, loss, etc. or communication environment is not good (offline state)), etc. This is because detailed condition setting and data protection become possible. Eventually, all data (contents, applications, policy data, etc.) except for the OS inside the smart device will be erased in a non-recoverable manner (complete erasure). Can relieve customer's anxiety about the potential. Customer (smart device user) satisfaction can be improved by providing a safe and secure use environment for this system.

  Furthermore, in the smart device 1 to which the control device of the present embodiment is applied, it is possible to improve the convenience of business use of the smart device with security maintained. In other words, it is possible to achieve both security and convenience.

  When some trouble occurs during business use of a smart device, even the user himself / herself may be upset and misoperate the smart device, or may be misused by a person unfamiliar with IT when using the smart device. In this embodiment, by performing step-by-step data protection according to the security level based on detailed condition settings, while maintaining the security of the internal data of the smart device, the recovery work time required for resuming the use of the smart device is minimized. realizable. Here, the recovery work required for resuming the use of the smart device is a smart device use environment setting such as reinstallation of applications, contents, and policies. As described above, it is possible to provide an optimal smart device usage environment capable of achieving both security and convenience even when a problematic event occurs.

  In the smart device 1 to which the control device of the present embodiment is applied, when an event that requires deletion or invalidation of secret information is detected, control according to content multi-stage defense is performed from the normal use state. Thereby, data leakage can be suppressed.

  Further, in the smart device 1 to which the control device of the present embodiment is applied, even when the smart device exists in an offline environment, when an event that requires deletion or invalidation of confidential information is detected, the content is changed from the normal use state. Control according to multi-stage defense. Thereby, it is possible to suppress data leakage even for the smart device 1 in a state where remote control is impossible.

  For example, when the root of the smart device 1 is detected, the state is changed to the “quaternary data leakage prevention state”, and all the data inside the smart device 1 except the OS is erased unrecoverably. Thereby, leakage of secret information to a malicious smart device 1 user can be prevented.

  For example, when a SIM card extraction operation of the smart device 1 is detected, an allowable time required for recovery is input, and when an appropriate time input is detected, leakage that is more important during the input time. The recovery operation is monitored after the transition to the defensive state. As a result, it is possible to allow unintentional SIM removal by the user himself or a maintenance worker authorized by the user himself / herself. In addition, for the SIM card extraction operation by the user or a user other than the maintenance worker permitted by the user himself / herself, it is possible to perform a state transition to a leakage protection state with higher importance. Thereby, leakage of secret information to a malicious smart device 1 user can be prevented.

[Second Embodiment]
Next, a control device, a control method, and a system according to a second embodiment of the present invention will be described. The present embodiment relates to control that performs multi-stage defense assuming an environment (online environment) in which a communication path in a smart device usage environment is secured as an example of a control device, a control method, and a system.

  As in the first embodiment of the present invention described above, the system of the present embodiment includes a smart device 1, a radio access network (RAN) or WiFi access point (AP) 10, lines 11, 12, and Internet or Intra. Network 100 and server 20 are included.

  As illustrated in FIG. 3, the smart device 1 includes a User Equipment (UE) 2, a User Identity Module (UIM) 3, and an antenna 7. The UE 2 of the smart device 1 includes a radio unit / control unit 4, a CPU (central processing unit; processor; data processing unit) 5 that operates by program control, and a memory 6.

  The smart device 1 in FIG. 2 shows a case of a mobile communication model such as 3G / LTE. If the smart device is a WiFi model, the UIM 3 in FIG. 2 is not necessary.

  As shown in FIG. 4, the CPU 5 of the smart device 1 includes a UI control processing unit 502, a policy setting control unit 503, a content erasure timing monitoring / detection processing unit 504, a state transition condition monitoring processing unit 505 using a timer, and an offline device. An authentication processing unit 506 is included. Furthermore, the CPU 5 of the smart device 1 includes a terminal lock / application lock control processing unit 507, a content deletion control processing unit 508, a content deletion tool control / processing unit 509, a data leakage prevention release processing unit 510, a data synchronization processing unit 511, and data transmission / reception. A processing unit 512 and a function state management unit / function control unit 501 are included.

  Next, operations of the smart device 1 and the server 20 when the smart device 1 is taken out of the office will be described with reference to the flowchart of FIG. 12A. In the present embodiment, the description will be made on the assumption that the smart device 1 is taken out of the office but maintains an online environment.

  The smart device 1 taken out of the company monitors the content erasure / invalidation timing after the normal use state (S31) (S32). Further, the start of smart device use (login) is confirmed (S33). When the start of using the smart device is confirmed (YES in S33), the process proceeds to the process (6) specifically shown in FIG. 12B. If the start of using the smart device cannot be confirmed (NO in S33), the removal of the SIM card is detected (S34). If the removal of the SIM card is not detected (NO in S34), the process returns to the content erasure / invalidation timing monitoring (S32). When the removal of the SIM card is detected (YES in S34), the process proceeds to the process (7) specifically shown in FIG.

  In the process (6) specifically shown in FIG. 12B, it is confirmed whether or not there is a problem in the authentication using the ID or password input by the user (S601). If there is no problem with the authentication using the ID or password input by the user (NO in S601), the process proceeds to the process (8) specifically shown in FIG. If there is a problem with the authentication using the ID or password input by the user, it is checked whether the number of times of authentication failure has been exceeded (S602). Until the number of times of authentication failure exceeds, confirmation of authentication by ID or password (S601) is repeated. When the number of occurrences of the authentication failure is exceeded (YES in S602), “secondary data leakage prevention” control processing is performed (S603). More specific contents of the “secondary data leakage prevention” control process are shown in FIG. 17A described later. Thereafter, the process proceeds to the process (10) specifically shown in FIG. 16A.

  Further, in the smart device 1 taken out of the company, the CPU 5 is in the “normal use state”, and the server 20 is “content access count (exceeded access count)” or “access outside the use authority” that is the content deletion / invalidation timing. When it is detected that the smart device 1 user violates the operation policy, such as “operation”, the server 20 transmits a notification for alerting the smart device 1 (notification of access exceeding the number of times of access or unauthorized access). .

At this time, if the server 20 detects that the user of the smart device 1 ignores this notification and continues to access the server 20, the terminal lock or application which is remote control such as the MDM function or the MAM function is performed. Lock (remote lock).
At this time, the server 20 transmits a remote lock notification (a notification that the smart device 1 has been locked remotely) to the smart device 1.

When the CPU 5 detects the “remote lock notification”, the system state is changed to the “secondary data leakage prevention state” and the condition for changing to the “tertiary data leakage prevention state” is monitored (“content deletion / invalidation”). Timing "and timer value expiration). (Waiting for transition to tertiary data leakage protection state)
Further, in the smart device 1 taken out of the company, when the CPU 5 detects “Bluetooth / WiFi disconnection operation” in the in-flight mode or the like when the CPU 5 is in the “normal use state” and the CPU 5 is the content erasing / invalidation timing. When an unauthorized login operation is monitored for login or a content list stored in a secure area and content is accessed, offline authentication is performed, and the system status is changed to "Primary data leakage prevention status". Transition.

Under the above situation, as with the offline environment description, when an event occurs in which login or offline authentication has failed, the CPU 5 monitors the content erasure / invalidation timing (exceeding the number of failures) and detects that the CPU 5 has exceeded the number of failures. Then, control such as terminal lock / application lock is performed, and the system state is changed to the “secondary data leakage prevention state” and the condition for changing to the “third data leakage prevention state” is monitored (“content deletion / Invalidation timing "and timer value expiration). (Waiting for transition to tertiary data leakage protection state)
Under the above circumstances, when the CPU 5 detects “Bluetooth / WiFi connection operation” (return to online environment) due to release of airplane mode, etc., it cancels offline authentication (releases the primary data leakage protection state) and transitions to the normal use state. To do.

  Next, the process (7) performed after the SIM card removal is detected will be described with reference to the flowchart of FIG. An input request of “recovery time (time required for SIM card insertion)” which is a time required for returning to the state where the extracted SIM card is inserted is made (S701). Further, the validity of the input value of the recovery time input to the smart device 1 is confirmed (S702). When the input recovery time value is valid, the “SIM removal” state is confirmed (S704). When the SIM card is restored and the “SIM removal” state ends, the process returns to the process (6) specifically shown in FIG. 12B.

  When the “SIM removal” state is confirmed (YES in S704), it is confirmed whether the inputted “recovery time” has expired (S705). While the inputted “recovery time” has not expired, the confirmation of the “SIM removal” state (S704) is repeated. When the “recovery time” expires (YES in S705), “secondary data leakage prevention” control processing is performed (S703). More specific contents of the “secondary data leakage prevention” control process are shown in FIG. 17A described later. Thereafter, the process proceeds to the process (10) specifically shown in FIG. 16A.

  Process (8) will be described with reference to the flowchart of FIG. Monitoring including operation policy monitoring is performed during login of the smart device 1 (S801). Whether or not an operation policy is violated is monitored, and if a violation is detected (YES in S802), the process proceeds to a "secondary data leakage prevention" control process (S803). When an operation policy violation is not detected (NO in S802), whether or not there is access to the server 20 is confirmed (S804). During the login of the smart device 1, monitoring including operation policy monitoring is performed (S805). Whether or not there is an operation policy violation is monitored, and if an operation policy violation is detected (YES in S806), the process proceeds to the “secondary data leakage prevention” control process (S803). When no operation policy violation is detected (NO in S806), the presence / absence of rooting operation to the smart device 1 is detected (S807). When the rooting operation is not detected, the SIM card removal is detected (S808), and when the SIM card removal is detected (YES in S808), the process proceeds to the process (7) specifically shown in FIG.

  When SIM card removal is not detected (NO in S809), a communication means disconnection operation is detected (S809). Here, the communication means disconnection operation may be, for example, an operation for setting the airplane mode by the user. When the communication means disconnection operation is not detected, the process returns to S801. When the communication means disconnection operation is detected, the process proceeds to the process (9) specifically shown in FIG.

  In the process (9) specifically shown in FIG. 15, “offline authentication” is activated (S901), and the authentication is waited. Further, the state transitions to the “primary data leakage protection state” (S902). The presence / absence of the communication means connection operation is confirmed. When the communication means connection operation is confirmed (YES in S903), “offline authentication” is canceled (S904). And it returns to the process (8) shown by FIG. When the communication means connection operation cannot be confirmed (NO in S903), the presence / absence of the rooting operation to the smart device 1 is detected (S905). When the rooting operation is not detected, the removal of the SIM card is detected (S906). When the removal of the SIM card is detected (YES in S906), the process proceeds to the process (7) specifically shown in FIG.

  When the SIM card removal is not detected (NO in S906), it is confirmed whether or not there is access to the secure area (S907). When there is no access to the secure area, the process returns to the confirmation of the presence / absence of the communication means connection operation (S903). When there is an access to the secure area (YES in S907), the “offline authentication” process is started (S908). The success or failure of offline authentication is confirmed (S909). When the offline authentication is successful (NO in S909), access to the “secure area” is permitted (S912). Allowing access to the “secure area” means that access to the “secure area” can be used offline. Thereafter, the use end of the smart device 1 is confirmed (S913). If it is not confirmed that the use of the smart device 1 has been completed, the process returns to permitting access to the “secure area” (S912). When the end of use of the smart device 1 is confirmed, the process returns to the beginning of the flowchart of FIG. 12B in order to resume use of the smart device 1.

  When the offline authentication has failed (YES in S909), it is confirmed whether or not the number of times of authentication failure has been exceeded (S901). The confirmation of offline authentication (S909) is repeated until the number of occurrences of authentication failures exceeds. When the number of occurrences of the authentication failure is exceeded (YES in S910), the “secondary data leakage prevention” control process is performed (S911). The specific contents of the “secondary data leakage prevention” control process are shown in FIG. 17A described later. Thereafter, the process proceeds to the process (10) specifically shown in FIG.

  The process (10) performed after the “secondary data leakage prevention” control process (S911) of FIG. 15 will be described with reference to the flowchart of FIG. 16A.

  It is confirmed whether secondary defense state cancellation is necessary (S1001). The user of the smart device 1 contacts the administrator by some means, and moves the smart device 1 to the online environment (S1002). The server 20 waits for a defense status release notification from the server 20 (S1003) and confirms receipt of the release notification (S1004). When it is confirmed that the release notification has been received, the defense state is released (S1005). This defense state cancellation includes unlocking and offline authentication cancellation. Then, the state transitions to the “normal use state” (S1006).

  When it is not necessary to cancel the secondary protection state (NO in S1001), the transition condition to the “tertiary data leakage protection state” is monitored (S1007). The transition condition to the “tertiary data leakage protection state” is based on a timer value or the like. The expiration of the state transition condition to the “tertiary data leakage protection state” is confirmed, and the expiration confirmation of the state transition condition to the “tertiary data leakage protection state” is repeated while the expiration is not completed. When the expiration of the state transition condition to the “tertiary data leakage protection state” is confirmed (YES in S1008), a “tertiary data leakage prevention” control process is performed (S1009). A more specific content of the “tertiary data leakage prevention” control process is shown in FIG. 17B described later. Thereafter, the process proceeds to the process (11) specifically shown in FIG. 16B.

  The process (11) performed after the “tertiary data leakage prevention” control process (S1009) of FIG. 16A will be described with reference to the flowchart of FIG. 16B.

  It is confirmed whether the tertiary defense state needs to be canceled (S1101). The user of the smart device 1 contacts the administrator by some means, and moves the smart device 1 to the online environment (S1102). The server 20 waits for a defense status release notification from the server 20 (S1103), and confirms receipt of the release notification (S1104). When it is confirmed that the release notification has been received, the defense state is released (S1105). This defense state cancellation includes unlocking and offline authentication cancellation. Then, the state transitions to the “normal use state” (S1106).

  When it is not necessary to cancel the tertiary protection state (NO in S1101), the transition condition to the “quaternary data leakage protection state” is monitored (S1107). The transition condition to the “quaternary data leakage protection state” is based on a timer value or the like. The expiration of the state transition condition to the “quaternary data leakage protection state” is confirmed, and the expiration confirmation of the state transition condition to the “quaternary data leakage protection state” is repeated while the state transition condition has not expired. When the expiration of the state transition condition to the “quaternary data leakage prevention state” is confirmed (YES in S1108), the “quaternary data leakage prevention” control process is performed (S1109). More specific contents of the “quaternary data leakage prevention” control process are shown in FIG. 17C described later.

  Processing (12) performed after the rooting operation of FIG. 14 is detected (YES in S807) will be described with reference to the flowchart of FIG. 16CB. In this case, “quaternary data leakage prevention” control processing is performed (S1201).

  FIG. 17A shows more specific processing contents of the “secondary data leakage prevention” control processing such as S603. “Secondary data leakage prevention” control processing is started, and “lock control” is activated. This “lock control” is terminal lock or application lock. Next, the state transitions to the “secondary data leakage prevention state”. Next, a transition condition to the “tertiary data leakage prevention state”, such as a timer value, is set and monitored.

  FIG. 17B shows more specific processing contents of the “tertiary data leakage prevention” control processing of S1009. “Tertiary data leakage prevention” control processing is started, and “content erasure” is activated based on the erasure range definition information. Next, the state transitions to the “tertiary data leakage prevention state”. Next, a transition condition to the “quaternary data leakage prevention state”, such as a timer value, is set and monitored.

  FIG. 17C shows more specific processing contents of the “quaternary data leakage prevention” control processing in S1109. The “quaternary data leakage prevention” control process is started, and the state transitions to the “quaternary data leakage prevention state”. Unrecoverable erasure is performed on all data inside the smart device 1 except the OS. Next, the state transitions to the “initialized state”. This “initialized state” refers to a state before shipment from the factory.

(Effect of 2nd Embodiment)
In the smart device 1 to which the control device of this embodiment is applied, security enhancement (information leakage prevention) is possible as in the first embodiment.

  The reason is that in unauthorized access (such as rooting) and inability to remotely control smart devices (incommunicable state with SIM removed due to theft, loss, etc. or communication environment is not good (offline state)), etc. This is because content control inside the smart device becomes possible. Furthermore, it is possible to provide (implement) a service with further enhanced security (information leakage prevention) by performing detailed condition setting and data protection.

  Furthermore, in the smart device 1 to which the control device of the present embodiment is applied, customer (smart device user) satisfaction can be improved in a safe and secure use environment, as in the first embodiment.

  The reason is that in unauthorized access (such as rooting) and inability to remotely control smart devices (incommunicable state with SIM removed due to theft, loss, etc. or communication environment is not good (offline state)), etc. This is because detailed condition setting and data protection become possible. Eventually, all data (contents, applications, policy data, etc.) except for the OS inside the smart device will be erased in a non-recoverable manner (complete erasure). Can relieve customer's anxiety about the potential. Customer (smart device user) satisfaction can be improved by providing a safe and secure use environment for this system.

  Furthermore, in the smart device 1 to which the control device of the present embodiment is applied, it is possible to improve the convenience of business use of the smart device that maintains security as in the first embodiment. In other words, it is possible to achieve both security and convenience.

  When some trouble occurs during business use of a smart device, even the user himself / herself may be upset and misoperate the smart device, or may be misused by a person unfamiliar with IT when using the smart device. In this embodiment, by performing step-by-step data protection according to the security level based on detailed condition settings, while maintaining the security of the internal data of the smart device, the recovery work time required for resuming the use of the smart device is minimized. realizable. Here, the recovery work required for resuming the use of the smart device is a smart device use environment setting such as reinstallation of applications, contents, and policies. As described above, it is possible to provide an optimal smart device usage environment capable of achieving both security and convenience even when a problematic event occurs.

  In the smart device 1 to which the control device of the present embodiment is applied, when an event that requires deletion or invalidation of secret information is detected, control according to content multi-stage defense is performed from the normal use state. Thereby, data leakage can be suppressed.

  Further, in the smart device 1 to which the control device of the present embodiment is applied, even when the smart device exists in an offline environment, when an event that requires deletion or invalidation of confidential information is detected, the content is changed from the normal use state. Control according to multi-stage defense. Thereby, it is possible to suppress data leakage even for the smart device 1 in a state where remote control is impossible.

  For example, when the root of the smart device 1 is detected, the state is changed to the “quaternary data leakage prevention state”, and all the data inside the smart device 1 except the OS is erased unrecoverably. Thereby, leakage of secret information to a malicious smart device 1 user can be prevented.

  For example, when a SIM card extraction operation of the smart device 1 is detected, an allowable time required for recovery is input, and when an appropriate time input is detected, leakage that is more important during the input time. The recovery operation is monitored after the transition to the defensive state. As a result, it is possible to allow unintentional SIM removal by the user himself or a maintenance worker authorized by the user himself / herself. In addition, for the SIM card extraction operation by the user or a user other than the maintenance worker permitted by the user himself / herself, it is possible to perform a state transition to a leakage protection state with higher importance. Thereby, leakage of secret information to a malicious smart device 1 user can be prevented.

[Other Embodiments]
Although the present invention has been described with specific embodiments, the present invention is not limited thereto. FIG. 1A is a block diagram of an information processing apparatus that realizes a control apparatus according to an embodiment of the superordinate concept of the present invention. FIG. 1B is a block diagram illustrating a configuration of the control device 30 according to the superordinate concept embodiment. The information processing apparatus in FIG. 1A includes a CPU (Central Processing Unit) 31 and a memory 32. The control device 30 in FIG. 1B includes a monitoring unit 35 and a control unit 36.

  The control device 30 in FIG. 1B may be configured by causing the information processing device in FIG. 1A to read and execute a program for realizing the monitoring unit 35 and the control monitoring 36. This program can be distributed in the form of a computer-readable recording medium. The functions of the present embodiment may be realized by software by reading a program recorded in such a recording medium and executing the program by the information processing apparatus.

  That is, a program that causes the information processing apparatus of FIG. 1A to function as the monitoring unit 35 and the control unit 36 is used. A program that realizes such a function can be distributed in the form of a recording medium on which the program is recorded. This program is a general-purpose semiconductor recording device such as CF (Compact Flash (registered trademark)) and SD (Secure Digital), a magnetic recording medium such as a flexible disk, or a CD-ROM (Compact Disc Read Only Memory). ) And the like in the form of an optical recording medium.

  As mentioned above, although preferable embodiment and the Example of this invention were described, this invention is not limited to this. It goes without saying that various modifications are possible within the scope of the invention described in the claims, and these are also included in the scope of the present invention.

A part or all of the above-described embodiment can be described as in the following supplementary notes, but is not limited thereto.
(Supplementary Note 1) A control device that makes a state transition between a normal use state of a smart device holding data and a plurality of leakage prevention states having different degrees of importance for preventing leakage of the data,
Monitoring means for monitoring the occurrence of an event that requires erasure or invalidation of the data;
When detecting the occurrence of an event that requires erasure or invalidation of the data, control means for causing the smart device to transition from the normal use state to the leak prevention state;
Control device including.
(Appendix 2) When an event that requires erasure or invalidation of the data occurs in the smart device in the offline environment, it is confirmed that the smart device has contacted the administrator or moved the smart device to the online environment. When the state is changed from the leakage prevention state to the normal use state,
The control device according to attachment 1.
(Appendix 3) When the occurrence of an event that requires erasure or invalidation of the data is detected, an allowable time required for recovery is input, and when an appropriate time input is detected, during the input time, Monitor recovery operations without transitioning to a more important leak protection state,
The control device according to attachment 1.
(Supplementary Note 4) The event that requires erasure or invalidation of the data is removal of a SIM (Subscriber Identify Module) card inserted into the smart device, and the recovery is re-insertion of the SIM card. The control device described in 1.
(Additional remark 5) When the said control means detects rooting of the said smart device, it controls so that unrecoverable deletion is performed about the data inside the said smart device,
The control device according to any one of supplementary notes 1 to 4.
(Appendix 6) a server;
A smart device including the control device according to any one of supplementary notes 1 to 5, which communicates with the server and retains the data.
(Appendix 7) A control method for causing a state transition between a normal use state of a smart device holding data and a plurality of leakage protection states having different degrees of importance for preventing leakage of the data,
Monitor the occurrence of events that require erasure or invalidation of the data,
When the occurrence of an event that requires erasure or invalidation of the data is detected, the smart device is transitioned from the normal use state to the leak prevention state.
Control method.
(Appendix 8) When an event that requires erasure or invalidation of the data occurs in the smart device in the offline environment, it is confirmed that the smart device has contacted the administrator or moved the smart device to the online environment. When the state is changed from the leakage prevention state to the normal use state,
The control method according to attachment 7.
(Supplementary note 9) When an occurrence of an event that requires erasure or invalidation of the data is detected, an allowable time required for recovery is input, and when an appropriate time input is detected, Monitor recovery operations without transitioning to a more important leak protection state,
The control method according to attachment 7.
(Supplementary note 10) The event that requires erasure or invalidation of the data is removal of a SIM (Subscriber Identify Module) card inserted into the smart device, and the recovery is re-insertion of the SIM card. The control method described in 1.
(Additional remark 11) When rooting of the smart device is detected, control is performed so as to perform irrecoverable erasure on the data inside the smart device.
The control method according to any one of supplementary notes 7 to 10.
(Supplementary Note 12) A control program for causing a state transition between a normal use state of a smart device holding data and a plurality of leakage prevention states having different degrees of importance for preventing leakage of the data,
Computer
Monitoring means for monitoring the occurrence of an event that requires erasure or invalidation of the data;
When detecting the occurrence of an event that requires erasure or invalidation of the data, control means for causing the smart device to transition from the normal use state to the leak prevention state;
Control program to function.
(Supplementary note 13) When an event that requires erasure or invalidation of the data occurs in the smart device in the offline environment, it is confirmed that the smart device has contacted the administrator or moved the smart device to the online environment. When the state is changed from the leakage prevention state to the normal use state,
The control program according to attachment 12.
(Supplementary Note 14) When the occurrence of an event that requires erasure or invalidation of the data is detected, an allowable time required for recovery is input, and when an appropriate time input is detected, during the input time, Monitor recovery operations without transitioning to a more important leak protection state,
The control program according to attachment 12.
(Supplementary note 15) The event that requires erasure or invalidation of the data is removal of a SIM (Subscriber Identify Module) card inserted into the smart device, and the recovery is re-insertion of the SIM card. The control program described in 1.
(Additional remark 16) When the said control means detects rooting of the said smart device, it controls so that unrecoverable deletion is performed about the data inside the said smart device,
The control program according to any one of supplementary notes 12 to 15.

1 Smart device 2 User Equipment (UE)
3 User Identity Module (UIM)
4 Wireless unit / control unit 5 CPU
6 Memory 7 Antenna 10 Radio Access Network (RAN) or WiFi Access Point (AP)
11, 12 lines 20 servers 100 Internet or Intra Network (IN)

Claims (10)

A control device that makes a state transition between a normal use state of a smart device holding data and a plurality of leakage prevention states having different degrees of importance for preventing leakage of the data,
Monitoring means for monitoring the occurrence of an event that requires erasure or invalidation of the data;
When detecting the occurrence of an event that requires erasure or invalidation of the data, control means for causing the smart device to transition from the normal use state to the leak prevention state;
Control device including. When an event that requires erasure or invalidation of the data occurs in the smart device in an offline environment, when contact from the smart device to an administrator or movement to the online environment of the smart device is confirmed, State transition from the leakage prevention state to the normal use state,
The control device according to claim 1. When the occurrence of an event that requires erasure or invalidation of the data is detected, an allowable time required for recovery is input, and when an appropriate time is detected, the input is more important during the input time. Monitor recovery operations without transitioning to a high leakage protection state,
The control device according to claim 1.   4. The event according to claim 3, wherein the event that needs to be erased or invalidated is removal of a SIM (Subscriber Identify Module) card inserted into the smart device, and the recovery is re-insertion of the SIM card. Control device. The control means, when detecting rooting of the smart device, controls to perform unrecoverable erasure on the data inside the smart device,
The control apparatus as described in any one of Claims 1 thru | or 4. Server,
A smart device including the control device according to any one of claims 1 to 5, which communicates with the server and holds the data. A control method for making a state transition between a normal use state of a smart device holding data and a plurality of leakage prevention states having different degrees of importance for preventing leakage of the data,
Monitor the occurrence of events that require erasure or invalidation of the data,
When the occurrence of an event that requires erasure or invalidation of the data is detected, the smart device is transitioned from the normal use state to the leak prevention state.
Control method. When an event that requires erasure or invalidation of the data occurs in the smart device in an offline environment, when contact from the smart device to an administrator or movement to the online environment of the smart device is confirmed, State transition from the leakage prevention state to the normal use state,
The control method according to claim 7. When the occurrence of an event that requires erasure or invalidation of the data is detected, an allowable time required for recovery is input, and when an appropriate time is detected, the input is more important during the input time. Monitor recovery operations without transitioning to a high leakage protection state,
The control method according to claim 7.   10. The event according to claim 9, wherein the event that needs to be erased or invalidated is removal of a SIM (Subscriber Identify Module) card inserted into the smart device, and the recovery is re-insertion of the SIM card. Control method.

Images