JP4948460B2 - Data management system - Google Patents

Description

  The present invention relates to a data management system that centrally manages an action of a user taking out data from a terminal to the outside by writing data to various media or sending an e-mail.

  Conventionally, since there is no mechanism for managing the export of data from a terminal such as a personal computer to the outside, there is a risk that the user may be encouraged to illegally export corporate data. In addition, a system that uses a virtual client or the like to increase security has a problem that it interferes with data communication in a business partner or in the company due to terminal restrictions.

  Therefore, in order to improve the safety of the created data file, a file processing method and a technique related to a processing device that can be used by this method have been proposed. (For example, see Patent Document 1).

The present invention also relates to a technique for managing a file containing personal information, confidential information, and the like held in an information processing apparatus such as a personal computer, and in particular, managing writing / transmission of the file from the information processing apparatus to an external medium. Technology has been proposed. (For example, see Patent Document 2).
JP 2003-122615 A JP 2007-34651 A

  As described above, there is no mechanism for the administrator to grasp the action of the user taking out data from the terminal to the outside by writing data to a medium such as USB or sending an e-mail.

  For this reason, there is a problem in that the check on the user does not work and there is a possibility that the user may be encouraged to illegally leak corporate data.

  In addition, an increasing number of companies are introducing security terminals such as virtual clients to improve security and effectively use assets. However, security terminals may be set to prohibit the export of data outside the computer. In many cases, there is a problem that it may interfere with data communication within a business partner or in the company for the control.

  In the setting of prohibiting the export of data to the outside in the security terminal, it is possible to suppress the above problem by setting the terminal for each user. Setting is inefficient in operation. For this reason, in many companies, a setting master to which a company policy is applied is prepared and the same setting is performed on all terminals, and the problem has not been solved.

  Further, the file processing method of Patent Document 1 and the processing device technology that can be used in this method are a mechanism limited to the company itself, and cannot transmit data attached to an e-mail, etc. It is not possible to link data with the other party. In addition, since there is no mechanism for the administrator to grasp the history of data export from the terminal to the outside, the problem that there is a possibility that fraudulent outflow may be promoted without checking the user.

  Furthermore, the present invention relates to a technique for managing a file containing personal information, confidential information, and the like held in an information processing apparatus such as a personal computer of Patent Document 2, and in particular, writing / excluding the file from the information processing apparatus to an external medium. With regard to the technology for managing transmission, there is no mechanism for the administrator to centrally manage the data export history from the terminal, so the check on the user does not work sufficiently and may lead to the promotion of fraud The problem of sexuality has not been solved.

  The present invention has been made in view of such circumstances, and it is necessary for the administrator to approve the data export from each terminal, and the management of the data export history from the terminal with the management server enables the transaction. The purpose is to provide a data management system that allows the administrator to check the user without disturbing the data linkage in the company or in the company, and prevents the illegal leakage of corporate data by the user. To do.

  The data management system of the present invention is a data management system that manages the outflow of data from a terminal to the outside by data cooperation between a management server and a terminal connected via a transmission line, and the terminal is connected to the terminal from the terminal In response to an operation of leaking data to the outside, identification information transmission means for transmitting data including the identification information of the terminal to the management server, and permission of data leakage from the terminal transmitted from the management server to the outside Data outflow control means for executing outflow of data from the terminal to the outside based on the approval data in which the setting to be embedded is embedded, and the management server includes the terminal based on the identification information transmitted from the terminal When the terminal is specified, the approval data embedded with the setting for permitting the outflow of data from the terminal to the outside is generated and transmitted to the terminal. Based on the approval means, the identification information of the terminal transmitted from the terminal, and the date and time when the identification information was transmitted from the terminal Generates the history data of the process for generating the number and specifying the terminal, the history data of the process for generating the approval data and transmitting it to the terminal, and the outflow of the data generated at the terminal to the outside History storage means for storing the history data of the processed process in a data file in association with the management number.

  Here, “data” flowing out from the terminal means information such as digitized characters and images held by companies, organizations, academic institutions, and the like. The “operation for causing data to flow out from the terminal” means an operation such as data writing to an external medium, storage of a copy, transmission of data to the external terminal by e-mail or the like by a user. The “identification information transmission means” detects and executes an operation for leaking data to the outside by a computer program such as an application or a function of an operation system.

  The “external media” refers to various storage media such as an external hard disk, USB media, CD-ROM writer, and flexible disk drive connected to the terminal. Included in “external media”.

  Here, “outflow” includes not only the act of taking out data to the outside at the user's will but also the case where the operation is performed regardless of the user's intention due to unauthorized intrusion from the outside of the terminal, computer virus, etc. .

  “Identification information” means information specifying a “terminal” or “user using a terminal” such as a MAC address, an IP address, a user ID set in a company, and the like for each terminal or user provided in advance. The terminal or user is identified by collating with the data of the identification information.

  The “approval data” is a data file or the like in which a setting for permitting execution of data outflow to the outside is embedded, and is created based on the content requested by the user in the operation of outflowing data to the outside. In addition, by providing data in a range that allows execution of data outflow to the outside, it is possible to create “approval data” by limiting the content requested by the user in the operation of outflowing data to the outside. . In addition, the range in which execution of data outflow to the outside is permitted can be set for each identified terminal or user.

  Next, the “management number” refers to the data created at the terminal that is created based on the “identification information” of the terminal transmitted from the terminal and the “date and time” of the identification information transmitted from the terminal. This is a unique number that indicates the operation to be leaked as a unit, and is generated, for example, by combining the MAC address of the terminal that performed the operation to drain data from the terminal with the date and time when the operation etc. was performed by a time stamp or the like The In addition, in the case of performing an operation of flowing a plurality of data from the terminal to the outside by one operation, in order to perform management in individual data units, for example, the serial number for each data is added to the above management number. Detailed management can be performed by attaching.

  “History data of a process for identifying a terminal” means history data such as a log file for the process of identifying a terminal that is performed based on identification information transmitted from the terminal. It also includes the history when no identification is made.

  “History data of processing for generating approval data and transmitting it to the terminal” means generating and transmitting approval data in which the setting for permitting the outflow of data from the terminal to the outside is embedded for the specified terminal For processing, it means historical data such as log files. It also includes a history when approval data is not transmitted.

  “History data of the process that executed data outflow to the outside” means history data such as a log file for the process that executes data outflow to the outside at the terminal. In addition, the history when execution is not performed is also included.

  These histories are linked to the “management number” and managed as a series of data from the time when the data is leaked from the terminal to the outside until the data is leaked to the outside. The

  According to the present invention, the outflow of data from the terminal to the outside can be centrally managed in the management server, so that the effect of preventing unauthorized outflow by the user can be achieved. In addition, even when an illegal outflow is detected, it is possible to speed up the initial response and reduce the number of response steps.

  Furthermore, since related processing is saved as a series of history data, even if the data is not actually leaked from the terminal, the history of the operation will be saved, There is an effect that unauthorized access can be grasped at an early stage.

  In the present invention, processing is performed in a distributed manner by the cooperation of data between the management server and the terminal, so that each burden can be reduced and hardware resources can be used effectively.

  In the data management system of the present invention, the approval data generated by the terminal approval unit has an expiration date, and the data outflow control unit receives the approval data from the management server and receives the approval data. The data to be leaked from the terminal to the outside in the operation of the terminal is copied from the storage area used by the user of the terminal to the storage area not used by the user, and the outflow of data from the terminal to the outside is used by the user This is done based on the data replicated in the storage area, and when the data outflow from the terminal is executed, or the expiration date of the approval data has passed without executing the data outflow from the terminal to the outside In this case, the data copied to the storage area not used by the user is erased.

  Here, the “expiration date of approval data” means that the approval data transmitted by the terminal approval means includes data of any date and time, and the data outflow control means determines the date and time data at the time of execution, This means that no data leakage is executed.

  The “storage area used by the user of the terminal” is an interface portion that stores programs such as data files and applications that are actually operated by the user, and means storage areas such as My Documents and user folders.

  A “storage area not used by the user” is a folder or the like that stores a management program that is not directly operated by the user, and is made invisible by software or restricted by the user's access authority. It can also be set so that it cannot be used.

  In addition, “when the expiration date of the approval data has passed without executing the outflow of data from the terminal to the outside” means that when the user performs an operation of outflowing data from the terminal to the outside, such as specifying the terminal "Authorization data" is transmitted after processing, and data is leaked from the terminal to the outside. For example, when writing data to external media or saving a copy, writing cannot be performed depending on the status of the external media. In some cases, or when sending data to an external terminal by e-mail, etc., the expiration date will pass without the data being leaked from the terminal to the outside. Means.

  In addition, when data is leaked from the terminal to the outside, when the input area is displayed for the purpose of confirmation by the user, the case where the user does not input to the input area is also included .

  According to the present invention, since the target data is erased after the execution of the data outflow to the outside or after the expiration date of the approval data has passed, it is possible to limit the outflow again and the like. The effect that can be secured.

  Further, since the data to be leaked is copied from the storage area (interface) used by the user of the terminal to the storage area not used by the user and processed, the work performed by the user is not affected. Play.

  In addition, because the processing to execute outflow on the replicated data is performed in an independent storage area, the business should be versatile without affecting the operation of the core business system adopted by the company. Can do.

  In addition, by restricting user operations in storage areas that are not used by the user, outflow processing of copied data is performed in storage areas that cannot be operated by the user. However, it is possible to prevent the falsification of the history by a malicious user. Note that, in a security terminal such as a thin client, a storage area for storing a management program or the like is normally set so that the user cannot operate it, and the same effect can be obtained.

  In addition, the data management system of the present invention is preliminarily provided with data defining a range that allows the outflow of data from the terminal set for each terminal to the outside, and the terminal approving means includes the specified terminal, Judgment is based on data that defines the range of data allowed to flow from the terminal to the outside, and approval data is generated that limits the range of data allowed to flow from the terminal to the outside according to the terminal. And

  Here, the “range that allows data outflow from the terminal set for each terminal” is different from the type of information handled by the department or responsibility in which the “terminal” is placed in the company. It means a standard that permits the outflow of data to the outside determined according to importance.

  In addition, as a range which permits the outflow of data from the terminal, for example, a time range in which the outflow of data to the outside is executed, a limit on the amount of data permitted to be outflow, a data file file, etc. The upper limit of the size, the restriction of the outflow by the file type estimated by the extension, etc., the restriction of the outflow for the unencrypted file, etc. can be mentioned.

  “Data that defines the range of data allowed to flow out from the terminal set for each terminal” refers to the identification information data for each terminal or user prepared in advance, depending on the importance of the security of the information to be handled, etc. It includes data that includes standards that allow the outflow of data as defined by

  "Approval data that restricts the range of data allowed to flow out from the terminal" means a data file that defines the range of data allowed to be leaked to the outside. It is created on the basis of the content requested by the operation to be performed and “data defining a range in which the outflow of data from the terminal to the outside” is preset for each terminal or user. It should be noted that the determination of the range in which data is allowed to flow out from the terminal can be set for each identified terminal or user.

  Here, “data defining the range of data allowed to be leaked from the terminal to the outside” includes, for example, approval performed when permitting data leak from the terminal to the outside due to the importance of terminal security. It also includes automatic approval in the management server or the like, human approval by the workflow system or the like, and data defining the approval method.

  Here, “human-based approval” is not limited to those performed by an administrator who is authorized to manage information in a company, etc., but is linked to the functions of the workflow system, etc. This includes the case where is performed.

  According to the present invention, for a terminal with a high security level, approval data can be generated using a stricter standard, so that it is possible to ensure high security.

  Further, the data outflow control means in the data management system of the present invention receives the transmission of the approval data from the management server, and transmits data to be leaked from the terminal to the outside in the operation of the terminal. If the data is copied from the storage area used by the user to the storage area not used by the user, and the data copied to the storage area not used by the user is subjected to a filtering test, if predetermined data is detected, The data copied to the storage area not used by the user is erased without executing the outflow of data to the outside.

  Here, the “filtering inspection” means an inspection process in which a data file or the like is evaluated and discriminated based on a certain standard and selectively excluded, and includes a process such as screening.

  “Predetermined data” refers to, for example, text data, specific phrases relating to personal information, confidential information, etc., computer virus program data defined to prevent the spread of computer viruses, etc. Various data formats can be specified by setting.

  According to the present invention, when a predetermined phrase such as personal information is included in the data to be leaked, for example, it is possible to detect it by a filtering inspection, so that illegal leakage is avoided. There is an effect that can be.

  In addition, as the data to be leaked is temporarily stored as an area for quarantine, it is copied to a storage area not used by the user and the filtering inspection is performed, so that the work performed by the user is not affected. Play.

  Further, in the data management system of the present invention, the approval data generated by the terminal approval unit includes identification information of the terminal that has performed the approval, and the data outflow control unit includes an identification number included in the approval data. The terminal other than the terminal is characterized by not executing data outflow from the terminal to the outside.

  According to the present invention, since the outflow of data from terminals other than the approved terminal can be restricted, it is possible to reliably manage the history of the outflow of data and to secure the security.

  Further, the data management method of the present invention is a data management method for managing the outflow of data from a terminal to the outside by data cooperation between a management server and a terminal connected via a transmission line. In response to an operation of leaking data to the outside, the step of transmitting data including identification information of the terminal to the management server, the identification information of the terminal transmitted from the terminal in the management server, and the terminal Based on the date and time when the identification information is transmitted, a management number is generated in units of an operation of flowing data made at the terminal out of the terminal and stored in a data file, and transmitted from the terminal The terminal is specified based on the identification information of the terminal, and when the terminal is specified, a setting for permitting the outflow of data from the terminal to the outside is embedded. Generating approval data and transmitting it to the terminal; generating history data of processing for identifying the terminal; generating history data of processing for generating the approval data and transmitting it to the terminal; Storing the data in a data file in association with the number, executing the outflow of data from the terminal to the outside based on the approval data transmitted from the management server in the terminal, and the outside generated in the terminal The management server receives the history data of the process that executed the data outflow through the transmission path, and stores the history data in a data file in association with the management number.

  Here, the “management number” is a unique number generated based on the identification number of the terminal included in the data first transmitted to the management server and the date and time of transmission. Function as the primary key.

  In the data management system and data management method of the present invention, in addition to the outflow of data from the terminal to the outside, the inflow of data from the outside to the terminal can be managed.

  The data export control means provided in the terminal detects the inflow of data from the outside to the terminal by a computer program such as an application or the function of the operation system, etc., and the history storage means provided in the management server that performs processing in cooperation, Stores information on data that flows into the terminal from outside. As a result, the management server centrally manages the information of the data that flows from the outside in the storage area used by the user of the terminal.

  Here, the inflow of data from the outside to the terminal is caused by writing data from an external medium, storing a copy, receiving data from the external terminal by e-mail, or the like.

  In addition, “information of data flowing in from the outside” means, for example, information such as the file name of the data that flowed in, the identification information of the terminal of the inflow destination, the identification number or e-mail address of the terminal of the inflow source, the type of external media means.

The terminal approving means provided in the management server defines a range that allows data outflow from the terminal to the outside, which is set in advance for each terminal or user when determining the range in which data outflow from the terminal is permitted. In addition to “data”, a file name or the like of data to be leaked to the outside is extracted, and a comparison determination is performed based on the file name of the data that has flowed into the terminal from the outside or the identification information of the terminal of the flow-in destination.
As a result of the determination, when the data to be leaked to the outside is “data that has flowed into the terminal from the outside”, the range in which the flow of data from the terminal to the outside is permitted is limited.

  Accordingly, it is possible to prevent a situation in which a data file that is not managed by the user and should not be taken out to the outside can be prevented.

  In addition, the determination here includes “inflow source attribute information” such as the identification number, e-mail address, and external media type of the inflow source of “data flowing into the terminal from the outside” and the inflow source attribute. Thus, it is possible to set so that different approval data is generated based on data or the like that defines a range in which data outflow from the terminal to the outside is permitted.

  As a result, for example, for data flowing from a department that handles a lot of confidential information and personal information, the outflow of data from the terminal to the outside can be individually restricted.

  For example, for data flowing from other departments, whether or not the search keyword stored in the filtering table in which the relative keywords such as personal information handled by each department are registered matches is matched. In such a case, the identification information of the inflow destination terminal is stored in association with the keyword, and when there is an operation to discharge data to the outside from the inflow destination terminal, the information is stored in the data related to the outflow. It is possible to determine whether or not a keyword is present, and if it exists, human approval may be executed by a workflow system or the like instead of automatic approval. As a result, it is possible to effectively prevent data flowing from other departments in the network of the company or the like from flowing out of the network of the company or the like.

  According to the data management system of the present invention, it is possible to centrally manage the history of data taken out by the user to the outside, so that the user is restrained and a deterrent against illegal leakage of data can be generated.

  Further, even when an unauthorized data leakage is detected, the initial response can be speeded up and the number of response steps can be reduced by the detailed history of the user taking out the data to the outside.

  Furthermore, even in a security terminal using a technology such as a virtual client, it is possible to easily control and set data linkage for each user without being restricted by the terminal.

Hereinafter, a first embodiment of the data management system 1 of the present invention will be described.
FIG. 1 is a diagram showing an overview of a data management system 1 according to the first embodiment.

  In the present embodiment, the management server 10 and the user terminal 2 perform processing through data cooperation via a dedicated line 3 (not shown).

  The management server 10 records the history of data files flowing out of the terminal by writing or duplicating data files from the user terminal 2 to the external medium 5 or sending e-mail from the user terminal 2 via the network 6 (not shown). to manage.

  Here, the management server 10 issues a “carry-out key” necessary for taking out the data file to the outside by the user, and manages a history etc. of the data file leaked to the outside (terminal approval unit 123). A history storage unit 124), an “authentication DB 131” that holds terminal authentication data necessary for issuing a take-out key, a “history management DB 132” that stores a history of data files leaked to the outside, and the like.

  The user terminal 2 stores a storage area of the interface portion (20) that stores a data file that the user actually performs a business operation, a business program 225, and the like, and a storage that stores a management program that the user does not directly operate. It is composed of areas.

  A storage area storing a management program or the like that is not directly operated by the user can be effectively implemented by, for example, setting invisibility by software or restricting the user's access authority.

  The storage area of the interface portion (20) includes a “user folder 231” such as “My Document” that stores a data file that is a target of operation by the user. “Key application program” (identification information transmission means 223) for applying for a take-out key necessary for taking out the data file to the storage area where the user does not directly operate, and controlling the execution of the take-out based on the take-out key A “export control program” (data outflow control means 224), a “export folder 232” for copying and storing the data file that is the target of the export operation, and the like.

  Note that the data management system 1 of the present embodiment can also be introduced in a security terminal using a technology such as a virtual client. In such a case, the data storage area needs to be implemented in the user terminal 2. Instead, it may be performed in a virtualized storage.

  Further, in this example, a server & client type network configuration is used, but in a distributed network, a configuration may be adopted in which any terminal has a management function.

FIG. 2 is a functional block diagram in the data management system 1 of the present embodiment.
The data management system 1 according to this embodiment includes a management server 10 and a workflow system server 4 that are connected to a user terminal 2 or the like on which a user performs business via a dedicated line 3. The management server 10 manages the history of data file export in the user terminal 2 or the like. The transmission / reception unit 21 of the user terminal 2 is connected to the external terminal 7 and the like via the external medium 5 and the network 6 such as the Internet.

  The management server 10 constituting the data management system 1 includes a transmission / reception unit 11 connected to the dedicated line 3 and the like, a central processing unit 12 that performs arithmetic processing related to data management, and a storage unit that holds information necessary for data management 13, an input unit 14 such as a keyboard for inputting data, and an output unit 15 such as a display device or a printer for outputting data.

  The transmission / reception unit 11 of the management server 10 according to the present embodiment is connected to the user terminal 2, the workflow system server 4, and the like via the dedicated line 3.

  Transmission to the central processing unit 12 is performed from a transmission / reception processing unit 121 that exchanges data with the transmission / reception unit 11, an input / output processing unit 122 that exchanges data with the input unit 14 or the output unit 15, and the user terminal 2. Terminal approval means 123 (management program) that approves the terminal based on the identification information to be issued, issues a take-out key and transmits it to the user terminal 2 and the like, and history that stores the history of data file outflow in the user terminal 2 and the like A storage unit 124 (management program) is provided.

  The storage unit 13 includes an authentication DB 131 that holds data necessary for authentication of the user terminal 2 and the like, a history management DB 132 that manages a history of data file outflow in the user terminal 2 and the like.

In FIG. 3, the structural example of authentication DB131 with which the memory | storage part 13 is provided is shown.
The authentication DB 131 holds data such as an approval method for each piece of identification information such as the user terminal 2. In this example, a “MAC address” that is a physical address unique to hardware is adopted as the “terminal management number” that is identification information of the user terminal 2 or the like. The terminal management number can also be set with an IP address or a user ID set in the company according to the security level of the company.

  For example, by setting the terminal management number to the user ID or the like, management can be performed for each user who has logged in at the same terminal. Therefore, even in an environment where terminals are shared by multiple users, The data file export history can be managed for each.

  Further, the authentication DB 131 of this example holds “approval method” data for each terminal management number. By assigning “approval method” data to the user terminal, authentication according to the security level is enabled. In this example, the export of a data file from a terminal with a high security level is approval in the workflow, and automatic approval in cooperation with the authentication DB 131 is performed in other terminals.

  Although not shown, the data managed in the authentication DB 131 is not limited to the “authorization method” of the user terminal. For example, information on the name, contact information, and other attributes of the employee who uses the user terminal is stored. By holding it, it is possible to systemize the response when an illegal outflow of data is detected.

FIG. 4 shows a configuration example of the history management DB 132 provided in the storage unit 13.
In the history management DB 132 of the present embodiment, data such as a user authentication result, a workflow result, an output date / time of a take-out key, a filtering inspection result, a take-out date / time, a file name, a completion status, and the like are stored using the “management number” as a main key.

  The “management number” in the present embodiment is configured by adding the transmitted “date and time” data to the “MAC address” data of the user terminal 2 that has made the key request using a time stamp or the like (identification). Information transmission means 223).

  Although not shown, information such as the path, mail address, file size, etc., where the data file was taken out can also be held. This makes it possible to speed up the initial response and reduce the number of response steps when an unauthorized data leak is detected.

  Next, the configuration of the user terminal 2 connected to the management server 10 or the like via the dedicated line 3 will be described (FIG. 2).

  The transmission / reception unit 21 of the user terminal 2 of the present embodiment is connected to the management server 10, the workflow system server 4 and the like via the dedicated line 3, and is connected to an external hard disk, USB media, CD-ROM writer, Connect to external media 5 such as a flexible disk drive. Further, it is connected to an external terminal 7 or the like via a network 6 such as the Internet.

  The central processing unit 22 includes a transmission / reception processing unit 221 for exchanging data with the transmission / reception unit 21, an input / output processing unit 222 for exchanging data with the input unit 24 or the output unit 25, and a user creates a document at the terminal Identification information for transmitting the identification information of the user terminal 2 to the management server 10 when the user performs a data file export operation to the outside by a business program 225 for performing business operations such as spreadsheet, database, e-mail, etc. Transmission means 223 (key application program), data outflow control means 224 (takeout control program) for executing data outflow based on a “takeout key” transmitted from the terminal approval means 123 (management program) provided in the management server 10, etc. Is provided.

  The storage unit 23 includes a user folder 231 that holds data necessary for a user's business operation, a take-out folder 232 that duplicates and temporarily saves a target data file when a user takes the data out to the outside. Has been.

  In the user terminal 2 of the present embodiment, only the storage area of the interface unit 20 storing the data file (user folder 231), the business program 225, etc. that the user actually performs the business operation is set to be operable. In other areas, the user cannot normally operate. In FIG. 2, the interface unit 20 is indicated by a broken line.

  Next, an outline of the operation in the data management system 1 of the present embodiment will be described based on the schematic diagram of FIG.

  First, a user who performs a business operation on the user terminal 2 executes a process that involves taking out a data file to the outside.

  Here, the data file that the user processes on the terminal 2 is stored in the user folder 231 (My Document) in the interface unit 20. In this example, the user performs an operation of writing the data file stored in the user folder 231 to the external medium 5.

  The user's operation to take out the data file beyond the interface unit 20 is detected as a “take-out request” by the key application program (identification information transmission means 223). Further, the key application program (identification information transmission means 223) duplicates and saves the data file that is the object of the take-out operation in the “take-out folder 232” in the save area that is not directly operated by the user of the user terminal 2. To do.

  The key application program (identification information transmission means 223) that has received the take-out request from the user transmits “terminal information” required for the take-out key request to the management server 10 (key request). Specifically, the date and time when a request is made to the management program (terminal approval means 123) of the management server 10 that extracts the MAC address data that is identification information from the user terminal 2 and connects via the dedicated line 3 (not shown). Is transmitted along with the data.

  When the management program (terminal approval unit 123) receives the received key request from the user terminal 2 or the like, performs authentication based on the terminal information (identification information) and the data held in the authentication DB 131, and the authentication is performed. Issue a "take-out key" to The issued take-out key is transmitted to the key application program (identification information transmission means 223) of the user terminal 2.

  The take-out key includes various data such as terminal information of the user terminal 2, a sequence for restricting re-use, an expiration date, and the number of allowed take-outs.

  When a key is requested and issued, the management program (history saving means 124) executes and the history data of the key request and take-out key issued from the user terminal 2 is stored in the history management DB 132 provided in the management server 10. Register. The “MAC address” transmitted as the “key request” and the “date / time” data for transmitting the request are unique in combination, and are associated with various data as the main key (management number) in the history management DB 132. Is done.

  The key application program (identification information transmission means 223) that has received the take-out key presents the take-out key to the take-out control program (data outflow control means 224). The take-out control program (data outflow control means 224) having received the take-out key executes data file take-out based on the data included in the take-out key.

  Specifically, if the data file export associated with the operation performed by the user on the interface unit 20 such as the user terminal 2 is within the content included in the export key, the operation is executed. On the other hand, if it is not within the range included in the take-out key, the operation is not executed.

  Next, the take-out control program (data outflow control means 224) copies or saves the data file to be taken out of the user terminal 2 to the outside of the user terminal 2 for data that has been copied to the take-out folder 232 by the identification information transmission means 223, Send an email with a file attached.

  When data export is executed, the export control program (data outflow control means 224) generates an “execution log” which is data export history data, and stores it in the management program (history storage means 124) of the management server 10. To transmit. The management program (history saving means 124) that has received the transmission of the execution log registers the execution log in association with the data of the “management number” that has already been registered (FIG. 4).

[Key application program (identification information transmission means 223)]
FIG. 5 is a diagram for explaining the processing flow of the key application program (identification information transmission means 223) provided in the user terminal 2.

  First, the key application program (identification information transmission means 223) is executed by the activation of the user terminal 2 or the like, reads a setting file prepared in advance, and prepares for a take-out request from the user (S101). An example of the “setting file” in the present embodiment is shown in FIG.

  In this example, the “number of key request log outputs” setting is “100”. Here, in the operation of taking out the data file to the outside by the business program 225 or the like, it is possible to carry out a plurality of data files with one operation, for example, simultaneous transmission of an e-mail attached with the data file. For this reason, an upper limit is set for the number of data file exports that can be performed in one operation. As a result, it is possible to avoid an infinite flow of data files.

  In this example, the “response waiting time” is set to “30 minutes”. Here, “response waiting time” means an allowable range of waiting time until receipt of a take-out key from the management server 10 that cooperates when applying for a take-out key. The “latest response time” is a time obtained by adding a response waiting time to the current time, and is not set as a default value.

  In this example, the setting of “terminal management number”, which is “identification information” of the user terminal, is “MAC address”. The setting here may be “IP address” or “user ID” set in the company according to the security level of the company.

  The “user operation (exported file operation)” setting is “lock”. Here, during the process from application to receipt of the take-out key, the user sets whether to restrict operations such as editing of the data file that is the object of the take-out application. When the setting here is not “lock”, the convenience of the user is not limited. On the other hand, in the case of “lock”, safety can be improved by ensuring the identity of the data file related to the export process before and after the process.

  After the setting file is read, an operation that involves taking out the data file from the user is monitored. Specifically, the key application program (identification information transmission means 223) is taken out from the user when an operation involving movement of a data file across the interface unit 20 is selected in the operation system or business program 225. It is detected as a request (S102).

  The key application program (identification information transmission means 223) that has detected the take-out request from the user releases the “lock” of the user operation to the target data file (S103).

  Next, a message “Request to bring out. If workflow approval is required, please contact the approver” is output to the monitor (output unit 25) of the user terminal 2 (S104).

  As a result, a user who does not require workflow approval waits until the end of the process. On the other hand, a user who needs workflow approval contacts the approver. Specifically, a predetermined workflow process is performed by connecting to the workflow system server 4 connected to the user terminal 2 via the dedicated line 3.

  Next, the key application program (identification information transmission means 223) performs a take-out key request process (S105). Specifically, in this example, the date and time for requesting the take-out key is added to the “MAC address” of the user terminal 2 or the like, which is the identification information of the user terminal (FIG. 4), and a “key request file” is created. The processing is transmitted to the management program (terminal approval unit 123) of the management server 10 that performs the processing in cooperation.

  Further, a response waiting time is added to the current date and time to calculate and hold the value of “latest response time”. In addition, a “key request log” is output to the monitor (output unit 25) of the user terminal 2 in which the date and time when the take-out key is requested, the latest response time, and the file name to be taken out to the outside are described ( FIG. 7).

  Simultaneously with the request for the export key, the data file to be externally exported is copied and saved from the user folder 231 of the user terminal 2 to the export folder 232. The transmission date and time is attached as attribute information to the data file here.

  The file operation lock in the user terminal 2 is executed only for the data file to be taken out to the outside.

  This is the end of the take-out key request process. The key application program (identification information transmission means 223) receives the end of the request process, and sets the value of “counter A” of the loop for detecting receipt of the take-out key to “0” (S106).

  In the process of detecting receipt of the take-out key, when the date and time when the take-out key is transmitted from the management program (terminal approval unit 123) is larger than the latest response time, that is, until the latest response time elapses, or The loop processing is repeated until the value of “Counter A” becomes “1” (S107, S111).

  The key application program (identification information transmission means 223) detects the receipt of the takeout key transmitted from the management program (terminal approval means 123) provided in the management server 10 and reads the takeout key (S108, FIG. 8). .

  Next, the key application program (identification information transmission means 223) refers to the take-out key and determines whether or not “take-out permission is permitted” and the terminal management number (MAC address) included in the management number is the MAC address of the own terminal. Determine whether or not. When the “AND” condition that “permitted allowance” is “permitted” and the MAC address of the terminal itself is satisfied (“YES” in S109), the value of “Counter A” of the loop is changed. “1” is set (S110). As a result, the loop processing ends (S107, S111).

  Next, the key application program (identification information transmission means 223) presents the take-out key to the take-out control program (data outflow control means 224) that performs processing in cooperation (S113), and monitors the user terminal 2 (output unit 25). ) Is output a message “Approval has been completed. Please continue the operation.” (S114).

  Thereafter, the “lock” of the user operation to the target data file is released (S117), and the process is terminated.

  On the other hand, when the receipt of the take-out key transmitted from the management program (terminal approval unit 123) is not detected in S108, the loop counter is repeated because the value of “Counter A” in the loop is “0”.

  Thereafter, when the date and time when the take-out key transmission is received from the management program (terminal approval unit 123) has passed the latest response time, the loop counter is terminated with the value of the loop "counter A" remaining at "0". (S107, S111).

  As a result of the determination of the take-out key in S109, if “permitted for take-out” is “No” or is not the MAC address of the own terminal (“NO” in S109), the date and time when the take-out key is received is the most. If the value of “Counter A” is not “1” because the delay response time has elapsed (“NO” in S112), the “key request log” and “take-out” are displayed on the monitor (output unit 14) of the user terminal 2. A message “You cannot take out. Please contact the administrator” is displayed together with the data of “Key” (S115).

  After that, in S105, the data file that is copied and stored in the export folder 232 and that is to be exported to the outside is deleted (S116). In this case, the data file to be taken out to the outside is specified by the date and time of the key request (S203 in FIG. 9 described later) constituting the “management number” recorded in the “takeout key” and the external in S105. This is performed by matching with the transmission date and time attached to the data file to be taken out (identification information transmission means 223).

  Thereafter, the “lock” of the user operation to the target data file is released (S117), and the process is terminated.

  In this embodiment, the flow after S102 operates as a child process. As a result, the burden on the system can be reduced.

[Management program (terminal approval means 123)]
FIG. 9 is a diagram illustrating a processing flow of the management program (terminal approval unit 123) provided in the management server 10.

  First, the management program (terminal approval unit 123) detects the “key request file” transmitted from the key application program (identification information transmission unit 223) included in the user terminal 2 or the like (S201), and reads the data. (S202).

  Data of “MAC address” which is identification information of the user terminal 2 and the like is acquired from the read “key request file”, and a “management number” is created by adding a transmission date and time. In the present embodiment, when a key request is made from the same terminal at the same date and time, a serial number starting from “00” is assigned (S203). Thereby, management can be performed in units of data files to be taken out in each request.

  Next, the management program (terminal approval unit 123) performs user authentication based on the MAC address of the user terminal 2 or the like included in the management number. Specifically, the “terminal management number” in the authentication DB 131 (FIG. 3) provided in the storage unit 13 of the management server 10 is searched to identify the user terminal from the MAC address (S204).

  An example of a response from the authentication DB 131 is shown in FIG. Based on the “management number”, data such as “authentication result” is success or failure, “approval method” is manual or automatic, and “expiration date” of the take-out key is output. Note that the “expiration date” of the present embodiment is “2 hours” by default, and a time obtained by adding 2 hours to the current date and time is output. In addition, the “number of allowed export” is also output, and the default value is “1”. As a result, it is possible to limit the outflow of a plurality of the same files and avoid an excessive burden on traffic.

  When the determination result (S205) of the user terminal authentication is “success (permitted)” (“permitted” in S205), the management program (terminal approving means 123) takes out the data file to the outside by the user. Move to approval process.

  On the other hand, when the determination result (S205) of the user terminal authentication is “failure (non-permitted)” (“not permitted” in S205), the take-out key is not issued and the take-out key request file is detected. History data until the user terminal authentication failure is generated. The generated history data is stored in the “history management DB 132” (FIG. 4) provided in the storage unit 13 of the management server 10 by the management program (history storage unit 124).

  When the determination result (S205) of the user terminal authentication is “success (permitted)” (“permitted” in S205), the management program (terminal approval unit 123) reads the “approval method” data and determines (S206).

  If the result of the “approval method” determination is “automatic” (“automatic” in S206), data of “carry-out key” is generated based on the response from the authentication DB 131 (S209).

  On the other hand, if the result of the determination of “approval method” is “manual” (“manual” in S206), approval by workflow is performed (S207).

  In this embodiment, the processing is performed in cooperation with a workflow system introduced by a company or the like, and the user performs input / output in the user terminal 2 and processing of the workflow system server 4 connected to the transmission / reception unit 21 through the dedicated line 3. Thus, approval by workflow can be performed. The result of the approval can be received by the management program (terminal approval means 123) of the management server 10 connected to the transmission / reception unit 41 of the workflow system server 4 via the dedicated line 3, and can be linked to the key issuing process.

  If the determination result of the workflow is “approval” (“approval” in S208), “take-out key” data is generated based on the response from the authentication DB 131 (S209).

  On the other hand, if the workflow determination result is “denied” (“denied” in S208), the export key is not issued, and history data from the detection of the export key request file to the determination of denial in the workflow is generated. To do. The generated history data is stored in the “history management DB 132” (FIG. 4) provided in the storage unit 13 of the management server 10 by the management program (history storage unit 124).

  An example of data included in the “carry out key” in the present embodiment is shown in FIG. Based on the “management number”, data such as “date and time” at which the export key was output, “permitted export allowed”, “expiration date”, “number of allowed export” if export is “allowed” . In this example, the “expiration date” is output from the default value “current date and time plus 2 hours date and time”, and “number of allowed exports” is output “1”.

  When the editing of the “take-out key” is completed, the management program (terminal approval unit 123) sends the data of the “take-out key” to the key application program (identification information transmission unit 223) such as the user terminal 2 that performs processing in cooperation. Transmit (S210).

  When the process for issuing the takeout key is completed, the management program (terminal approval unit 123) generates history data from the detection of the takeout key request file to the end of the process. The generated history data is stored in the “history management DB 132” (FIG. 4) provided in the storage unit 13 of the management server 10 by the management program (history storage unit 124).

  FIG. 11 shows an example of history data generated by the management program (terminal approval unit 123). Based on the “management number”, it is composed of data such as “user authentication result”, “workflow result”, and “output date and time of take-out key”. However, when the “workflow result” is “denied”, the data of “output date of take-out key” is not output.

  In the present embodiment, the flow after S201 operates as a child process. As a result, the burden on the system can be reduced.

  Further, in this example, when the “authorization method” of the terminal is “automatic” in the authentication DB 131, data of “take-out key” is uniformly generated. However, depending on the security level of the terminal, different “take-out” It can also be set to generate "key" data.

  For example, for the purpose of protecting personal information, there are arbitrary restrictions on the terminals of departments that handle a lot of personal information, such as the Human Resources Department and Customer Center, and the terminals provided by managers who manage members in other departments. Can also be provided. Examples of optional restrictions include the upper limit of the file size of data files to be exported to the outside, restrictions on export by file type estimated by extension, etc., restrictions on export of unencrypted files, etc. It is done.

[Normal take-out control program (data outflow control means 224)]
FIG. 12 is a diagram for explaining a processing flow in a normal time of the carry-out control program (data outflow control means 224) provided in the user terminal 2.

  First, when the user terminal 2 is activated, a take-out control program (data outflow control means 224) executes to read a setting file and prepare for a take-out request from the user (S301).

  FIG. 13 shows an example of the default value of the setting file in the present embodiment. In this example, the default value is to perform a filtering check on a data file to be taken out by the user. As a result, it is possible to detect a problematic data file before the outflow and control to prevent outflow. In this example, the default value is to monitor illegal take-out without presenting a take-out key.

  After the setting file is read, it is prepared for presenting a take-out key from the key application program (identification information transmission means 223) that performs processing in cooperation. Specifically, the take-out control program (data outflow control means 224) monitors the data reception of the take-out key transmitted from the management program (terminal approval means 123) to the key application program (identification information transmission means 223) (S302). ).

  When the takeout control program (data outflow control means 224) detects the receipt of the takeout key, it sets the value of the “counter B” of the loop to “0” (S303).

  In this example, the carry-out control program (data outflow control means 224) performs a filtering check on the data to be taken out by the user according to the default setting file (S304). Here, the data subjected to the filtering inspection is data copied from the user folder 231 of the interface unit 20 in the user terminal 2 to the take-out folder 232 outside the interface unit 20.

  In this case, the data file to be subjected to the filtering inspection is identified by the date and time (S203) of the key request constituting the “management number” recorded in the “takeout key” and the export to the outside in S105 of FIG. This is done by matching with the transmission date and time attached to the target data file.

  If the determination result of the filtering test is “no problem” (“no problem” in S305), the export control program (data outflow control means 224) executes data export processing to the outside.

  Specifically, based on the data of the detected take-out key (FIG. 8), when the date and time (current date and time) for taking out data to the outside is larger than the expiration date, that is, until the expiration date has passed or the loop This is executed by loop processing until the value of “Counter B” reaches the value of “Number of allowed export” (S306, S310).

  In the loop processing, first, “file export processing” is performed based on the data of the export key (S307).

  Here, “file export processing” refers to the case where a copy of the data file stored in the user terminal 2 is stored in the external medium 5 or the like, or the data file is written out by the function of the business program 225 or the like. In the case of saving to 5 or the like, there is a case in which a data file saved in the user terminal 2 is attached by an e-mail function and transmitted to the external terminal 7 or the like via the network 6 such as the Internet.

  The take-out control program (data outflow control means 224) executes an operation involving taking out the data file to the outside in cooperation with the operation system or the business program 225.

  When the export is finished in any data file by the “file export process”, “1” is added to the value of “0” which is the current “counter B” of the loop, and “1” is obtained. (S308).

  The export control program (data outflow control means 224) in the present embodiment, when the export process of one data file is completed, each time the log (execution log) related to the process is processed in cooperation with the management server 10 The information is transmitted to the management program (history saving means 124) (S309).

  The management program (history saving unit 124) that has received the execution log terminates processing after detecting the key request file by the management program (terminal approval unit 123) in the history management DB 132 provided in the storage unit 13 of the management server 10. Save it in association with historical data up to.

  An example of data included in the “execution log” in the present embodiment is shown in FIG. Based on the “management number”, “takeout date / time” taken out to the outside, “result of filtering inspection history”, “file name” taken out to the outside, and the like are output. In addition, when the result of the filtering inspection history is “problem”, the “takeout date / time” is not output.

  When the take-out control program (data outflow control means 224) completes the transmission of the “execution log”, the current date has not expired or the value of “Counter B” has reached the value of “Number of allowed carry-out”. Judge whether it is not.

  In this example, since the default value of “number of allowed exports” is “1”, the value of “counter B” is “1” in S308, and the condition is satisfied (S306), and the loop processing is completed (S310).

  If the value of “number of allowed exports” is set to “2” or more, the loop processing is repeated until the value reaches that value (S306 to S310).

  Also, when the user terminal 2 or the like does not carry out the take-out operation before the expiration date (S306), the loop process ends (S310).

  When the loop-out process is finished, the take-out control program (data outflow control means 224) deletes the data file to be taken out to the outside copied and stored in the take-out folder 232 (S314), and ends the process.

  On the other hand, when the determination result of the filtering inspection is “problem” in S305 (“problem” in S305), the result of the filtering inspection history is output (S311).

  FIG. 15 shows an example of “results of filtering inspection history”. Based on the “management number”, data such as “file name” for filtering inspection and “inspection result” such as a checked phrase are output.

  On the monitor (output unit 25) of the user terminal 2, the message “Filtering inspection history” and a message “There was a problem with the filtering inspection. Cannot be taken out. Please contact the administrator.” Output (S312).

  As a result, the user can confirm the problematic phrase included in the data file to be taken out to the outside, create a new data file, and send it again. Therefore, for example, when the user has overlooked a problematic phrase, there is an effect that an opportunity of receiving a check in advance can be obtained before transmission is completed.

  Next, the take-out control program (data outflow control means 224) generates an “execution log” (FIG. 14) based on the filtering inspection history and transmits it to the management program (history storage means 124) that performs processing in cooperation. . The management program (history storage means 124) that has received the execution log stores it in the history management DB 132 in association with the history data of the take-out key request.

  The takeout control program (data outflow control means 224) that has transmitted the execution log performs a process of deleting the data file to be taken out to the outside copied / saved in the takeout folder 232 (S314) and ends the process.

  In the present embodiment, the flow after S302 operates as a child process. As a result, the burden on the system can be reduced.

[Take-out control program for illegal take-out (data outflow control means 224)]
FIG. 16 is a diagram for explaining the processing flow at the time of illegal take-out of the take-out control program (data outflow control means 224) provided in the user terminal 2.

  In the present embodiment, the default value of the “setting file” of the key application program (identification information transmission means 223) is used to lock the user operation to the data file to be taken out during the take-out key request process. However, when priority is given to the convenience of user operation, it can be set not to lock.

  However, if the user operation is not locked to the data file to be taken out, there is a possibility that the data file is taken out from the user folder 231 without presenting the take-out key. In the present embodiment, history management can be performed when unauthorized take-out is performed in such a setting.

  First, when the user terminal 2 is activated, the take-out control program (data outflow control means 224) executes, reads the setting file (FIG. 13), and prepares for a take-out request from the user (S401).

  In normal times, after the setting file is read, it is prepared to present a take-out key from the key application program (identification information transmission means 223) that performs processing in cooperation.

  However, in this example, the user performs an operation on the user terminal 2 that involves moving the data file beyond the interface unit 20 without presenting the take-out key.

  Specifically, the carry-out control program (data outflow control means 224) in the present embodiment detects the movement of the data file beyond the interface unit 20 (S402).

  In the “setting file” of the carry-out control program (data outflow control means 224) in this example, the filtering check is set to “present”, so the carry-out control program (data outflow control means 223) during normal takeout shown in FIG. ), A filtering check is executed (S404).

  If the result of the filtering check is “no problem” (“no problem” in S404), a log (execution log) related to the process is transmitted to the management program (history saving means 124) (S406). In this “execution log” (FIG. 14), “illegal export” is output in the “status” column.

  On the other hand, when the result of the filtering inspection is “problematic” (“problem” in S404), the filtering inspection history is output (S405), and the processing log (execution log) is stored in the management program (history saving). To the means 124) (S406). Similarly, “illegal export” is output in the “status” column of the “execution log” (FIG. 14).

  In this embodiment, the flow after S402 operates as a child process. As a result, the burden on the system can be reduced.

[Management program (history saving means 124)]
FIG. 17 is a diagram illustrating a processing flow of the management program (history saving unit 124) provided in the management server 10.

  The management program (history saving means 124) detects the reception of the “execution log” (FIG. 14) transmitted from the export control program (data outflow control means 224) provided in the user terminal 2 that performs the processing in cooperation ( (S501) and output to the history management DB 132 (S502).

  In the present embodiment, the flow after S501 operates as a child process. As a result, the burden on the system can be reduced.

  When the “execution log” is output to the history management DB 132, it is stored in the corresponding area by matching with the “management number” included in the execution log.

  As a result, in the history management DB 132 (FIG. 4), when an operation involving taking out a data file from the user to the outside is performed, all correspondences are linked by the “management number” and managed collectively. It can be carried out.

  As described above, according to the data management system 1 of the present embodiment, since the history of the user taking out the data can be managed in an integrated manner, the user is restrained and the deterrence against illegal leakage of data is achieved. Can be generated.

  Further, even when an unauthorized data leak is detected, the initial response can be speeded up and the number of response steps can be reduced by the history of the user taking out the data to the outside.

  Furthermore, even in a security terminal using a technology such as a virtual client, it is possible to easily control and set data linkage for each user without being restricted by the terminal.

  In the highly versatile data management system 1 according to the present embodiment, the human system is approved by the administrator in accordance with the security level of the user terminal in cooperation with the approval function of the workflow system adopted by a company or the like. However, it can be used in many other ways by cooperating with other business systems such as a workflow system.

  For example, in the data management system 1 of the present embodiment, a process from the operation of flowing data out of the terminal to the outside until the outflow of data to the outside is managed as a series of data. By coordinating with the above, it is possible to set so that each process is managed by the department head to which the user belongs.

  Specifically, the terminal approval means 123 (management program) provided in the management server 10 is a “key request log” (identification information transmission means 223 (key application program)) transmitted by a data take-out operation performed by the user on the terminal. When the user is specified based on the above, information of the specified user and data of the “key request log” are transmitted to the cooperative workflow system.

  In the workflow system that has received the data transmission, based on the identified user information and the payment flow prepared in advance, the terminal of the head of the affiliation who performs payment for the user's form is identified and the data of the “key request log” is stored. To transmit. As a result, the department head can grasp the data export operation performed by the user belonging to the department very early.

  Next, when it is determined that the user's terminal for which the data take-out operation has been performed requires human approval (terminal approval unit 123 (management program)), the affiliation in which settlement is performed by the associated workflow system Display the approval screen on the long terminal, wait for the approval of the affiliation head, and set it up for subsequent processing.

  Note that the approval here can be performed safely and reliably by using an electronic signature by the function of the workflow system. In addition, since approval may not be received due to going out of the head of the affiliation or the like, the speed of approval can be ensured by combining the functions of the administrator of the line provided in the workflow system acting on behalf.

  Thereafter, when data export is completed by the data outflow control means 224 (export control program) provided in the user terminal 2, the history storage means 124 (management program) provided in the management server 3 displays the result of the data export in the history management DB 132. In addition to outputting, user information and “execution log” data are transmitted to the cooperating workflow system.

  In the workflow system that has received the data transmission, the terminal of the affiliation manager is identified and the “execution log” data is transmitted. Thereby, the affiliation head can grasp the result of the data export actually performed by the user very early.

  As a result, the head of the affiliation can manage in real time the data taken out by the user in the business, so that the data management in the company can be further ensured.

[Second Embodiment]
Next, a second embodiment in the data management system 1 of the present invention will be described.

  In the present embodiment, when there is a data take-out request from the identification information transmission unit 223 (key application program) such as the user terminal 2, the terminal approval unit 123 (management program) of the management server 10 It differs from 1st Embodiment by the point which determines the approval method of a terminal based on a carrying-out log | history.

  In the history management DB 132 provided in the management server 10 of the second embodiment, in addition to the data held in the first embodiment, data of “export destination” of the data file is held. Here, “take-out destination” means an e-mail address of the take-out destination in an electronic mail, an address of a take-out destination computer in the case of network sharing or the like. In addition, when a data file is copied and pasted to an external medium or the like, it means information such as the type of the target external medium.

  The history management DB 132 also holds data such as the “number of detected cases” of personal information such as the names of individuals detected in the results of the filtering test (FIG. 18).

  In the present embodiment, the terminal approving means 123 (management program) obtains the personal name as personal information as a result of the filtering inspection of the data file to be taken out by the data outflow control means 224 (takeout control program). Even if it is included, if it is less than the predetermined number, it is allowed to be taken out as a normal data file delivery range.

  Furthermore, the history management DB 132 of the present embodiment includes a “terminal history table” for managing a takeout history for each user terminal (FIG. 19). The terminal history table is provided based on the “management terminal number” of the user terminal, and manages the export history for each “export destination” and the history of data such as personal information contained in the data file to be exported. To do.

  Here, data such as personal information included in the data file is detected by a filtering inspection in the data outflow control means 224 (carry-out control program) provided in the user terminal 2 or the like.

  In the filtering inspection in this embodiment, data such as personal information and confidential information to be detected is managed by a “filtering table” provided in the storage unit 13 of the management server 10 connected via the network 6.

  The filtering table of this example manages personal information, confidential information, etc. of customers and employees who need attention when taking out data from the user terminal. Regarding employee and customer information, filtering inspections can always be performed based on the latest information by linking with the employee database provided by the Human Resources Department and the customer database provided by the Customer Center. it can.

  In the configuration example of the present embodiment illustrated in FIG. 20, a phrase to be detected is centrally managed as a “search keyword”. In addition, for these search keywords, “types” such as personal information of employees and customers, confidential information, and database information for managing these data are also stored.

  The data outflow control means 224 (export control program) searches the data file for a phrase defined in the “filtering table” when performing a filtering check on the data file to be exported.

  In the first embodiment, the terminal approval unit 123 (management program) refers to the “approval method” data held in the authentication DB 131 when selecting an approval method for the user terminal 2 or the like, and is a terminal with a high security level. The export of the data file from the server is “manual (workflow)” approval, and “automatic approval” in cooperation with the authentication DB 131 is used for other terminals.

  On the other hand, in the second embodiment, since the data file is not taken out from a terminal with a high security level, the “terminal history table” in the history management DB 132 (FIG. 19) even if it is determined as “automatic approval”. Is changed to an approval method based on “manual (workflow)” when the carry-out history for each user terminal held by the computer satisfies a certain condition.

  FIG. 21 shows a specific flow of the terminal approval unit 123 (management program) in the second embodiment. Here, a different point from FIG. 9 which showed the flow in 1st Embodiment is demonstrated.

  The terminal approval unit 123 (management program) executes the data outflow control unit 224 (carry-out control program) in response to the request received as “automatic approval” (“automatic” in S606), and the data file to be taken out The filtering inspection result data is extracted (S607).

  Next, the terminal approval unit 123 (management program) outputs the number of data such as personal information included in the data file to the terminal history table from the acquired filtering inspection result data (S607).

  Further, the data of “take-out destination” is extracted from the data of the take-out request, and the same within a predetermined period in the terminal history table (FIG. 19) selected based on the identification number of the user terminal 2 etc. that has applied. The history of taking out to the “takeout destination” is extracted (S608). Here, the history data includes the number of data such as personal information included in the data file to be taken out.

  Note that when the external media is set as “take-out destination”, the destination to actually use the data file cannot be specified, so it can be set to change to the “manual (workflow)” approval method. it can.

  In the terminal history table, the terminal approval unit 123 (management program) has the same “take-out destination” within the predetermined period and the number of data such as personal information included in the data file acquired from the result data of the filtering inspection. The total number of data such as personal information included in the data file taken out is calculated (S609).

  The total number of data such as personal information included in the calculated data file is subject to comparison with a predetermined number of cases. If the number exceeds the predetermined number, “automatic approval” to “manual The approval method is changed to “(workflow)” (“Y (manual)” in S610).

  As a result, it is possible to quickly grasp the situation where personal information or the like has been taken out carelessly and to confirm the situation through approval by the workflow, thereby preventing unauthorized data leakage.

  Here, the target of judgment is the total number of data such as personal information contained in the data file. Therefore, the personal information contained in the data file that was taken out to the same "take-out destination" within a predetermined period. Even if the number of data such as “0” is set, if the number of data such as personal information included in the data file for the export request obtained from the filtering inspection result data is “10” or more, it is determined in advance. Since this corresponds to the case where the number of cases is exceeded, the approval method is changed from “automatic approval” to “manual (workflow)” (“Y (manual)” in S610).

  In the example of FIG. 19, the predetermined number of cases is set to “10” and the predetermined period is set to “10 days”, but these numerical values can be arbitrarily set. Moreover, the phrase to be detected by the filtering inspection is not limited to personal information such as an individual's name, but can be various phrases that should prevent leakage of confidential information, for example (FIG. 20).

  In this example, the approval method is changed to the “manual (workflow)” approval method when a certain condition is met. However, it is also possible to set to prohibit taking-out by setting. Furthermore, for example, when the total number is “10 to 19”, the approval method is changed, and when it is “20 or more”, the export is prohibited, and the administrator is immediately notified. It can also be set to do.

  In addition, by creating a database of e-mail addresses, computer addresses, etc. of the take-out destination in advance and setting a flag etc. for a take-out destination with a high security level that should not be taken out, it takes a take-out request from the user terminal 2 etc. It is possible to make a comparison with the “take-out destination”. As a result, it is possible to perform a change to a manual (workflow) approval method or a control for prohibiting the take-out according to the security level of the take-out destination.

  In addition, for the control that prohibits the change of the approval method and the export, one of the control that prohibits the change of the approval method and the export is selected according to the security level of the export destination by setting multiple types of flags, etc. It can also be set to

  Note that the flag can be set, for example, by detecting frequent access to the same take-out destination and setting a predetermined number of times.

  Further, by creating a database of “file names” for data files managed by the user folder 231 such as the user terminal 2 in advance and setting a flag or the like for a data file with a high security level, a request for taking out from the user terminal 2 or the like can be made. Comparison with the “file name” can be performed. As a result, it is possible to perform a change to the approval method by manual operation (workflow) or control for prohibiting the export according to the security level of the data file to be taken out.

  In addition, for the control that prohibits the change and export of the approval method, one of the controls that prohibits the change of the approval method and the export is selected according to the security level of the data file by setting multiple types of flags, etc. It can also be set to

  As for the setting of the flag, for example, frequent access to the same data file is detected, and the flag can be set when a predetermined number of times is reached.

[Third Embodiment]
Next, a third embodiment in the data management system 1 of the present invention will be described.

  The data outflow control means 224 (carrying out control program) in the third embodiment can also detect the inflow of data files from the outside to the interface unit 20 such as the user terminal 2.

  Specifically, in the operation system or business program 225, when an operation involving the inflow of a data file beyond the interface unit 20 is selected, the operation is detected as an inflow of a data file from the outside.

  The data outflow control means 224 (export control program) that detects the inflow of the data file from the outside generates an execution log of the data file inflow.

  The generated execution log includes data such as a file name and an inflow source address, and is stored in the inflow history table provided in the history management DB 132 by the history storage unit 124 (management program) of the management server 10 that performs processing in cooperation. (FIG. 22).

  Thereafter, when the user performs a take-out operation on the data file that has flowed in from the outside, the identification information transmission means 223 (key application program) requests the take-out key, and the terminal approval means of the management server 10 performs processing in cooperation with each other. 123 (management program) authenticates the user terminal 2 and the like based on the authentication DB 131.

  Next, the terminal approval unit 123 (management program) of the present embodiment selects an “inflow history table” (FIG. 22) in addition to the “approval method” data stored in the authentication DB 131 when selecting an approval method for the user terminal 2 or the like. ) To determine the approval method.

  In this embodiment, since the data file is not taken out from a terminal with a high security level, even if it is determined as “automatic approval”, the “inflow history table” of the history management DB 132 is determined by the terminal approval unit 123 (management program). ”Is detected, and the case where the data file related to the export request is a data file that flows in from the outside is detected.

  The terminal approval unit 123 (management program) according to the present embodiment is a request that has been determined to be “automatic approval”, and a data file to be taken out flows from the outside as a result of searching the “inflow history table”. If it is a data file, the result data of the filtering inspection by the data outflow control means 224 (export control program) is extracted.

  Next, the terminal approval unit 123 (management program) outputs the number of pieces of data such as personal information included in the data file to the inflow history table from the acquired filtering inspection result data. The terminal approval unit 123 (management program) changes the approval method to “manual (workflow)” when the number of data such as personal information included in the data file is equal to or greater than a predetermined number.

  Here, the “flowed data file” can be set only to a data file that flows from a terminal provided in a department that handles personal information such as the human resources department or the customer center. It is also possible to refer to the history of repeated transmission of a data file with a specific terminal as an inflow source, and to change the approval method to “manual (workflow)” when the number of times is more than a predetermined number. it can.

  Thereby, it is possible to prevent a data file that is not managed by the user and should not be taken out to the outside.

  Further, the data outflow control means 224 (carry-out control program) of the data management system 1 in the third embodiment is performed by the user to various data files held in the user folder 231 provided in the interface unit 20 such as the user terminal 2. Access can be managed.

  Specifically, the data outflow control means 224 (carry-out control program) detects an access to the data file in the user folder 231 by the user in cooperation with an operation system such as the user terminal 2 or the business program 225. .

  The data outflow control means 224 (export control program) of this embodiment always monitors access to a data file that flows in from the outside, and also monitors other data files that are accessed at the same time while accessing the file. can do.

  The data outflow control means 224 (export control program) of the present embodiment generates an execution log when the interface unit 20 such as the user terminal 2 detects a data file accessed at the same time as the data file flowing in from the outside. To do.

  The generated execution log includes data such as a file name and a data file that has flowed in from the outside that has been accessed at the same time, and the history is stored by the history storage unit 124 (management program) of the management server 10 that performs processing in cooperation. It is stored in the inflow history table provided in the management DB 132.

  In the subsequent processing, the “data file accessed simultaneously with the data file flowing in from the outside” stored in the inflow history table is recorded by the terminal approval means 123 (management program) in the same manner as the data file flowing in from the outside. When the data file to be retrieved in the “inflow history table” of the management DB 132 and related to the export request is “a data file accessed at the same time as the data file that flows in from the outside”, under the above conditions, Change to "Manual (workflow)" approval method.

  As a result, it is possible to monitor a data file that may have been copied and pasted from a data file that has flowed in from the outside, and thus it is possible to prevent data leakage in this manner in advance.

  In this example, the history of the data file that flows in from the outside or the data file that is accessed simultaneously with the data file that flows in from the outside is managed by the database, but the data outflow control means 224 (the export control) Program) detects the inflow of the data file from the outside to the user terminal 2 or the like, or the access to the data file included in the user folder 231 made at the same time as the access to the data file from the outside. It can also be set to write these history data in the attribute information of the file.

  In such a case, the attribute information is read by a filtering check or the like executed by the data outflow control means 224 (export control program) when the data is finally taken out, and the data file to be taken out flows from the outside. If it is a file or a data file that is accessed at the same time as a data file that flows from the outside, it is sent back to the terminal approval means 123 (management program) via the identification information transmission means 223 (key application program) and approved again Can be set to do.

  When the processing by the terminal approval unit 123 (management program) is completed, the history data is stored in the history management DB 132 by the history storage unit 124 (management program) that performs processing in cooperation. The data outflow control means 224 (carrying out control program) executes outflow of the data file to the outside based on the approval data transmitted again.

  Thereby, it is possible to reduce data processing such as registration of an execution log performed in accordance with an inflow of data files from the outside.

[Fourth Embodiment]
Next, a fourth embodiment in the data management system 1 of the present invention will be described.

  In the third embodiment, when a data file flows from the outside, the data outflow control means 224 (takeout control program) that has detected the flow of the data file directly flows into the interface unit 20 of the user terminal 2 from the outside. In the data outflow control means 224 (export control program) in the present embodiment, the data file that has flowed in from the outside is temporarily stored in the export folder 232, and after performing a filtering check or the like, the interface The user folder 231 in the unit 20 is copied / saved. It should be noted that after copying / saving in the user folder 231 is completed, the data file first saved in the export folder 232 is deleted.

  In this case, the data outflow control means 224 (export control program) that has detected the inflow of the data file from the outside receives the result of the filtering check and generates an execution log of the data file inflow.

  The generated execution log includes data such as detected personal information and confidential information in addition to data such as a file name and an inflow source address. The history storage unit 124 (management program) of the management server 10 that performs the processing in cooperation manages the data such as personal information and confidential information included in the execution log in association with data such as the file name and the inflow source address. The data is stored in a “filtering table” included in the storage unit 13 of the server 10.

  In this embodiment, when selecting an approval method for the user terminal 2 or the like by the terminal approval means 123 (management program) provided in the management server 10, the filtering table is referred to in addition to the “approval method” data held in the authentication DB 131. Make a decision.

FIG. 23 shows a configuration example of the filtering table in the present embodiment.
In the filtering table of this example, data such as “search keyword”, “type”, “management source” and the like are held as in the filtering table (FIG. 20) in the second embodiment, and the search keyword is stored in the user terminal 2 or the like. If it is included in the data file that flows in from outside, the history data such as the file name of the data file that flowed in and the address of the flow-in source are stored.

  Further, in the filtering table of this example, data such as personal information and confidential information to be detected in the filtering inspection are managed separately according to their importance.

  Specifically, the management of a situation in which a data file including a keyword such as corporate confidential information is taken out of the user terminal as an absolute “search keyword” for corporate confidential information or the like.

  The personal information of customers and employees is a relative “search keyword” and is allowed to be taken out to other user terminals in the network even outside the user terminal. On the other hand, transmission of e-mails to terminals outside the network and copying / saving to external media are managed.

  In the configuration example of the filtering table of FIG. 23, a master file that defines the importance for each “type” is provided and managed collectively. In the master file of this example, the absolute “search keyword” is indicated by “x”, and the relative “search keyword” is indicated by “Δ”. These changes can be applied collectively by changing the master file.

  As a result, when the definition of importance needs to be changed depending on the situation, it is possible to quickly respond.

  Next, in this embodiment, the operation of the terminal approval unit 123 (management program) provided in the management server 10 will be described.

  The terminal approval unit 123 (management program) refers to the “filtering table” (FIG. 23) in addition to the “approval method” data stored in the authentication DB 131 when selecting the approval method for the user terminal 2 or the like. The approval method is determined based on whether or not the “search keyword” is included in the data file to be taken out.

  Specifically, the terminal approval unit 123 (management program) of the present embodiment, when it is a take-out request that has been determined as “automatic approval”, the data outflow control unit 224 (take-out control program) provided in the user terminal 2 or the like. ), The result data of the filtering check of the data file related to the export request is extracted.

  Next, when data such as personal information and confidential information is included in the result data of the filtering inspection, the filtering table provided in the management server 10 is referred to.

  In the filtering table in this example, the confidential information of the company is defined as an absolute “search keyword” (FIG. 23), and the terminal approval unit 123 (management program) includes the confidential information in the result data of the filtering inspection. And the like, the “x” in the master file included in the filtering table is detected, and the approval method is changed from “automatic approval” to “manual (workflow)”.

  As a result, when the confidential information of the company, which is the most important information, is leaked from the terminal to the outside, it becomes an approval method by “manual (workflow)”, so it is possible to ensure safety safely. it can.

  Next, even if data such as personal information is included in the result data of the filtering inspection, the data such as personal information is a relative “search keyword”, so the export destination is other user terminals in the network. In some cases, the export is permitted as it is within the normal data file delivery range. On the other hand, when the export destination is a terminal outside the network by e-mail or the like, or when copying / saving to an external medium, the approval method is changed from “automatic approval” to “manual (workflow)”.

  Specifically, the terminal approval unit 123 (management program) of the present embodiment, when the filtering inspection result data includes data such as personal information of customers and employees, “△” of the master file included in the filtering table Is detected (FIG. 23). Next, the address of the export destination is extracted from the export request file, and a database or the like for managing user terminals in the network (not shown) is searched. When the user terminal is specified, the approval method is set to “automatic approval”. " On the other hand, if the address or the like cannot be specified for the user terminal in the network, the approval method is changed from “automatic approval” to “manual (workflow)”.

  As a result, the normal data export in the network is approved by a simple method, so that the burden on the user can be reduced.

  It should be noted that relative “search keywords” such as personal information of customers and employees, etc., even if they are taken out to user terminals in the network, the “search keywords” included in the data file to be taken out "Is a phrase included in a data file that flows from the outside of the user terminal, it can also be set to limit the export.

  Specifically, when referring to the relative “search keyword” included in the data file to be taken out to the outside, the terminal management number of the user terminal requested to be taken out, and “inflow destination terminal” of the filtering table Make a comparison with the “management number” and if it is the same, set the approval method to be changed from “automatic approval” to “manual (workflow)” as the data included in the file that flows from the outside. You can also.

  In this case, it can be set so that the operation is performed only when the “inflow source terminal management number” of the filtering table is a specific user terminal in the network.

  This makes it possible to specifically manage the outflow of data from departments handling personal information such as the personnel department and customer center.

  As described above, the data management system 1 of the present invention can produce various effects by changing various settings.

It is the figure which showed the outline | summary of the data management system 1 concerning 1st Embodiment. 1 is a system block diagram of a data management system 1 according to a first embodiment. It is a structural example of authentication DB131 with which the memory | storage part 13 of the management server 10 of the data management system 1 concerning 1st Embodiment is provided. It is a structural example of log | history management DB132 with which the memory | storage part 13 of the management server 10 of the data management system 1 concerning 1st Embodiment is provided. It is a figure explaining the flow of the identification information transmission means 223 (key application program) with which the user terminal 2 of the data management system 1 concerning 1st Embodiment is provided. It is the figure which showed the example of the "setting file" of the identification information transmission means 223 (key application program) with which the user terminal 2 of the data management system 1 concerning 1st Embodiment is provided. It is the figure which showed the example of the "key request log" output by the identification information transmission means 223 (key application program) with which the user terminal 2 of the data management system 1 concerning 1st Embodiment is provided. It is the figure which showed the example of the "carry-out key" output by the terminal approval means 123 (management program) with which the management server 10 of the data management system 1 concerning 1st Embodiment is provided. It is a figure explaining the flow of the terminal approval means 123 (management program) with which the management server 10 of the data management system 1 concerning 1st Embodiment is provided. It is the figure which showed the example of the "authentication result" returned from authentication DB131 in the process of the terminal approval means 123 (management program) with which the management server 10 of the data management system 1 concerning 1st Embodiment is provided. It is the figure which showed the example of the "history data" produced | generated in the terminal approval means 123 (management program) with which the management server 10 of the data management system 1 concerning 1st Embodiment is provided. It is a figure explaining the flow in the normal time of the data outflow control means 224 (carrying-out control program) with which the user terminal 2 of the data management system 1 concerning 1st Embodiment is provided. It is the figure which showed the example of the "setting file" of the data outflow control means 224 (export control program) with which the user terminal 2 of the data management system 1 concerning 1st Embodiment is provided. It is the figure which showed the example of the "execution log" output by the data outflow control means 224 (carry-out control program) with which the user terminal 2 of the data management system 1 concerning 1st Embodiment is provided. It is the figure which showed the example of the "filtering test | inspection log | history" output by the data outflow control means 224 (carry-out control program) with which the user terminal 2 of the data management system 1 concerning 1st Embodiment is provided. It is a figure explaining the flow at the time of the illegal taking-out of the data outflow control means 224 (take-out control program) with which the user terminal 2 of the data management system 1 concerning 1st Embodiment is provided. It is a figure explaining the flow of the log | history preservation | save means 124 (management program) with which the management server 10 of the data management system 1 concerning 1st Embodiment is provided. It is a structural example of log | history management DB132 with which the memory | storage part 13 of the management server 10 of the data management system 1 concerning 2nd Embodiment is provided. It is a structural example of the terminal history table of history management DB132 with which the memory | storage part 13 of the management server 10 of the data management system 1 concerning 2nd Embodiment is provided. It is a structural example of the filtering table with which the memory | storage part 13 of the management server 10 of the data management system 1 concerning 2nd Embodiment is provided. It is a figure explaining the flow of the terminal approval means 123 (management program) with which the management server 10 of the data management system 1 concerning 2nd Embodiment is provided. It is a structural example of the inflow log | history table of log | history management DB132 with which the memory | storage part 13 of the management server 10 of the data management system 1 concerning 3rd Embodiment is provided. It is a structural example of the filtering table with which the memory | storage part 13 of the management server 10 of the data management system 1 concerning 4th Embodiment is provided.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Data management system 2 User terminal 3 Dedicated line 4 Workflow system server 5 External media 6 Network 7 External terminal 10 Management server 11, 21, 41, 71 Transmission / reception part 12, 22, 42, 72 Central processing part 13, 23, 43 73, storage unit 14, 24, 44, 74 input unit 15, 25, 45, 75 output unit 20 interface unit 121, 221 transmission / reception processing unit 122, 222 input / output processing unit 123 terminal approval unit (management program)
124 History storage means (management program)
131 Authentication DB
132 History management DB
223 Identification information transmission means (key application program)
224 Data outflow control means (take-out control program)
225 Business program 231 User folder 232 Export folder

Claims (5)

A data management system for managing the outflow of data from the terminal to the outside by data cooperation between the management server and the terminal connected via a transmission line,
The terminal includes
An identification information transmission means for receiving an operation of causing data to flow out from a terminal and transmitting data including identification information of the terminal to the management server;
Data outflow control means for executing outflow of data from the terminal to the outside based on approval data embedded with a setting for permitting outflow of data from the terminal transmitted from the management server,
With
In the management server,
The terminal is identified based on the identification information transmitted from the terminal, and when the terminal is identified, generating approval data in which the setting for permitting the outflow of data from the terminal to the outside is generated, A terminal authorization means for transmitting to the terminal;
Based on the identification information of the terminal transmitted from the terminal and the date and time when the identification information was transmitted from the terminal, generation of a management number in units of operations for causing the data made at the terminal to flow out from the terminal History data of the process for performing the identification of the terminal, the history data of the process for generating the approval data and transmitting it to the terminal, and the history of the process for executing the outflow of data generated in the terminal History storage means for storing data in a data file in association with the management number;
Equipped with a,
The data outflow control means provided in the terminal includes:
In response to the transmission of the approval data from the management server, the data to be leaked from the terminal to the outside in the operation on the terminal is copied from the storage area used by the user of the terminal to the storage area not used by the user And
If the data copied to the storage area not used by the user is subjected to a filtering test and predetermined data is detected, the data is not used by the user without being leaked from the terminal to the outside. data management system according to claim also erase replicated data in the area. The approval data generated by the terminal approval means has an expiration date,
The data outflow control means receives the transmission of the approval data from the management server, and the data to be leaked from the terminal to the outside in the operation of the terminal from the storage area used by the user of the terminal Is copied to a storage area that is not used, and the outflow of data from the terminal to the outside is performed based on the data copied to the storage area not used by the user,
When data is leaked from the terminal to the outside, or when the expiration date of the approval data has passed without executing the data leak from the terminal to the outside, the data is copied to a storage area not used by the user 2. The data management system according to claim 1, wherein the recorded data is erased. Data that prescribes the range that allows the outflow of data from the terminal to the outside set for each terminal,
The terminal approving means determines the identified terminal based on data defining a range in which the outflow of data from the terminal to the outside is permitted, and the outflow of data from the terminal to the outside is determined according to the terminal. The data management system according to claim 1 or 2, wherein approval data for limiting a permitted range is generated. The approval data generated by the terminal approval means includes identification information of the terminal that has made the approval,
Said data loss control means in the terminal other than the terminal identification number contained in the authorization data, the data of any one of 1 to 3, characterized in that do not run the outflow of data to the outside from the terminal Management system. A data management method for managing the outflow of data from the terminal to the outside by data cooperation between the management server and the terminal connected via a transmission line,
In the terminal, in response to an operation of flowing data out of the terminal, transmitting the data including the identification information of the terminal to the management server;
In the management server, based on the identification information of the terminal transmitted from the terminal and the date and time when the identification information was transmitted from the terminal, the operation for causing the data made by the terminal to flow out from the terminal as a unit Generating a management number to be stored and storing it in a data file;
Based on the terminal identification information transmitted from the terminal, the terminal is identified, and when the terminal is identified, the approval data is embedded with the setting for permitting the outflow of data from the terminal to the outside. Transmitting to the terminal;
Generating history data of processing for specifying the terminal, generating history data of processing for generating the approval data and transmitting it to the terminal, and storing the data in a data file in association with the management number;
In the terminal, upon receiving the approval data from the management server, the user does not use the data to be leaked from the terminal to the outside in the operation from the storage area used by the user of the terminal. Replicating to the storage area;
The data copied to the storage area not used by the user is subjected to a filtering test, and when the predetermined data is detected, the data copied to the storage area not used by the user is erased. If the detected data is not detected , executing the outflow of data from the terminal to the outside,
The management server receives the history data of the process that executed the outflow of data generated in the terminal via the transmission path, stores the data in a data file in association with the management number;
A data management method comprising:

Images