JP5560912B2 - Computer system including data movement restriction function - Google Patents

Description

  The present invention relates to a computer system including a data movement restriction function.

There are many servers on a network such as the Internet. As a usage form of a service provided by these servers, for example, there is cloud computing. In cloud computing, a management server manages the placement of virtual machines on each physical server in the cloud, that is, a network. For this reason, it is possible for the management server to manage the geographical position of the virtual machine by identifying the physical server in which the virtual machine is operating and confirming the geographical position of the identified physical server.

Further, there is a patent document that discloses a technique for managing location information of a device such as a server using a global positioning system (GPS). That is, in this technique, the server automatically collects the installation position information and device information of the server from the GPS device, and transmits the latest installation position information and device information to the manager server through the network. Here, the installation position information includes the latitude and longitude of the installation position of the server.

JP 2009-169580 A

  In a conventional computer system, consideration is given to the circumstances such as protection restrictions in the area (including the country) where the data destination server exists for data sent and received between the data source server and the data destination server via the network. Measures are not taken.

  Therefore, even when circumstances such as protection regulations in the area to which data is to be transferred are not compatible, it is not possible to restrict movement associated with data copying.

  In addition, when the data transmitted / received between these servers is leaked, the leaked area cannot be identified, so that the leaked area cannot be dealt with.

  The problem is to provide a technology that enables movement restriction of data to be moved in accordance with the data movement destination area.

  In order to solve the above-described problem, the data movement restriction method is such that the first computer that is the data movement source that holds the movement target data has a location area of the first computer, a permitted area that permits data movement, and data movement. 2nd indicating the location of the second computer acquired from the second computer to which the data is moved through the first location information and the network, and the second location information And determining whether or not to permit the movement target data to be moved to the second computer is executed based on the comparison result.

  According to the disclosed method, the movement of the movement target data can be restricted according to the data movement destination area.

  Other objects, features and advantages will become apparent upon reading the detailed description set forth below when taken in conjunction with the drawings and the appended claims.

1 is a block diagram showing a configuration of a computer system according to an embodiment. The block diagram which shows the detailed structure of the server computer which can be applied to the computer system of one embodiment. The figure for demonstrating the structure of the positional information in one embodiment, time information, and additional information. The flowchart for demonstrating the data movement restriction | limiting process of one Embodiment. The flowchart for demonstrating the data movement restriction | limiting process of one Embodiment. The flowchart for demonstrating the data movement restriction | limiting process of one Embodiment. The flowchart for demonstrating the area comparison process of one Embodiment. The figure for demonstrating the structure of the execution server position information in the data movement restriction | limiting process of one Embodiment, and the other party server position information. The figure for demonstrating the structure of the additional information in the data movement restriction | limiting process of one embodiment.

  Hereinafter, further detailed description will be given with reference to the accompanying drawings. The drawings show preferred embodiments. However, it can be implemented in many different forms and should not be construed as limited to the embodiments set forth herein.

[System configuration and functions]
Referring to FIG. 1 showing a system configuration in one embodiment, a computer system SYS including a data movement restriction function includes a first server computer (also referred to as an execution server) 1 that is a data movement source, and a data movement A second server computer (sometimes referred to as a partner server) 2 and a network 3 such as the Internet are provided. In the computer system SYS that is actually constructed, there are a large number of server computers 1 and 2 on the international network 3, but the illustration is simplified here.

  As shown in FIG. 2, each of the fixedly arranged server computers 1 and 2 includes a control unit 5, a position information response unit 10, a position information collection unit 20, an information addition unit 30, and a storage unit 40. The control unit 5 performs a data movement restriction process in cooperation with the position information response unit 10, the position information collection unit 20, the information addition unit 30, and the storage unit 40.

  The location information response unit 10 receives a location information collection request from one server computer (here, the first server computer 1), and a reference unit 12 that references (reads) the location information that it owns. And a transmission unit 13 that returns the referenced location information, and responds with the location information held by itself when a location information collection request is received from one of the server computers.

The location information collection unit 20 includes a transmission unit 21 that transmits a location information collection request to the other server computer (here, the second server computer 2), and a reception unit that receives a response of the location information from the other server computer. 22 and a providing unit 23 that provides the received position information so that the process can refer to the information, and inquires and collects the position information from the other server computer.

  The information adding unit 30 includes a reference unit 31 that refers to both the own position information 41 and the time information 42 and a setting unit 32 that adds the additional information 43 to the movement target data 44. When the data 44 is stored in the storage unit 40, additional information 43 including a region and time is set.

  The storage unit 40 stores position information 41, time information 42, additional information 43, and movement target data 44. A configuration example of the position information 41, time information 42, and additional information 43 stored in the storage unit 40 is shown in FIG.

  Specifically, the position information 41 includes, as items, information of “area”, “permitted area”, and “rejected area”. In the content column corresponding to each item, country names such as Japan, USA (USA), China, and Russia are stored. The country name can be specified by a character string or a numerical value. In addition, the country name is designated singly or plurally depending on the item.

  Here, the “region” in the position information 41 is region (location region) information in which the first server computer 1 or the second server computer 2 is arranged. The “permitted area” is area information that permits data movement, and the “rejected area” is area information that does not allow data movement.

  When the position information 41 is set in the server computers 1 and 2, a method of specifying an area based on coordinate information (longitude and latitude) indicating a geographical position acquired by using the GPS, or an operation performed when the server computers 1 and 2 are installed. It is possible to adopt a method of manual setting by a person.

  The time information 42 stores information representing the current time in a content column corresponding to “time” as an item. As the information indicating the current time, any one of the local time at which the server computers 1 and 2 are arranged, the standard time, and the total seconds (integrated seconds) can be applied.

When the time information 42 is set in the server computers 1 and 2, a method of performing time setting by NTP (Network Time Protocol), a method of manually setting the time when the server computers 1 and 2 are installed, and the like It is possible to take

  The additional information 43 includes items of “region” and “time” as items. In the content column corresponding to “Region”, the country name such as Japan is stored. The country name is specified as a single string or number. In the content column corresponding to “time”, the time (arrival time) when the movement target data 44 has moved to the area in the format of year / month / day, hour: minute: second is set. This additional information 43 is obtained by sequentially accumulating past movement histories and is added to the movement target data 44.

  In the server computers 1 and 2 having the above-described configuration, the control unit 5, the position information response unit 10, the position information collection unit 20, and the information addition unit 30 install the data movement restriction control program as an application program in the auxiliary storage device. Sometimes, it can be realized as a function of the central controller. The storage unit 40 is configured by an auxiliary storage device. Although the server computers 1 and 2 include a main storage device, a man-machine interface, a communication interface, and the like, illustration of this configuration is omitted here.

[Data movement restriction processing]
Next, an example of data movement restriction processing in the computer system SYS of one embodiment will be described with reference to FIGS. 1, 2, 3 and related drawings.

  Here, a data movement example in which the execution server 1 corresponding to the data movement source transmits a file copied as movement target data to the partner server 2 corresponding to the data movement destination via the network 3 will be described. In the following description, the intervention of the network 3 is omitted.

  In the execution server 1, when the operator in the partner server 2 performs a specified operation for copying a file existing in the execution server 1 via the man-machine interface, the data movement restriction process is triggered by the notification of the specified operation. To do.

  In the execution server 1, the reference unit 12 of the position information response unit 10 acquires (refers to) the position information (execution server position information) 41 stored in advance in the storage unit 40 (S50 in FIG. 4A). This execution server location information 41 includes region: Japan, permitted region: China, and rejected region: America. The transmission unit 21 of the location information collection unit 20 transmits a collection request for the location information 41A of the counterpart server to the counterpart server 2 (S51).

  In the partner server 2, the receiving unit 11 of the location information response unit 10 receives a location information collection request from the execution server 1 (S52). When this collection request is received, the reference unit 12 acquires the position information (partner server position information) 41A stored in the storage unit 40 in advance, and the transmission unit 13 returns the acquired position information 41A to the execution server 1 ( S53).

  In the execution server 1, the receiving unit 22 of the position information collecting unit 20 receives the position information 41A from the counterpart server 2 as a response (S54). This partner server location information 41A includes region: America, permitted region: Japan, Russia, and rejected region: China.

  Subsequently, in the execution server 1, the control unit 5 that cooperates with the reference unit 12 and the providing unit 23 determines that the execution server position information 41 exists (S55), and further includes the partner server position information 41A. (S56 in FIG. 4B).

  When these determinations are affirmative, the control unit 5 executes a region comparison process based on the execution server location information 41 and the counterpart server location information 41A (S57). In addition, in the area comparison process described later as an example, the position information about the permitted area and the reject area included in the partner server position information 41A is not used, and therefore reception from the partner server 2 may be omitted. However, the position information can be reflected in the area comparison process to further improve the accuracy.

  As shown in detail in FIG. 5, in this region comparison process, first, it is determined that the region (location region) of the execution server 1 and the region (location region) of the partner server 2 are the same (S571). . Next, it is determined that the area of the partner server 2 is included in the rejection area of the execution server 1 (S572). Further, it is determined that the area of the partner server 2 is included in the permitted area of the execution server 1 (S573).

The determination result by this area comparison process is one of the following four forms MD1, MD2, MD3, MD4.
In MD1: S571, when it is determined that the regions are the same, data movement is affirmed (permitted) (OK).
MD2: If it is determined in S571 that the areas are not the same, but it is determined in S572 that the area is not a rejection area, and it is determined in S573 that the area is a permitted area, data movement is affirmed (OK).
MD3: If it is determined in S571 that the areas are not identical and it is determined in S572 that the area is a rejected area, data movement is denied (NG).
MD4: It is determined that the areas are not the same in S571, and it is determined that the area is not a rejected area in S572. However, if it is determined that the area is not a permitted area in S573, data movement is denied (NG).

  Here, as shown in FIG. 6, the execution server location information 41 includes region: Japan, permitted region: China, refusal region: America, and the partner server location information 41A includes region: America, permitted region: Japan, Russia. , Refusal areas: including China. Therefore, the determination result by this area comparison processing is in the form MD3, and data movement is once denied.

  Referring to FIG. 4B again, in the execution server 1, whether or not the data movement can be executed according to the affirmative (OK) or negative (NG) of the determination result by the above-described regional comparison process (S57) is controlled. 5 (S58).

  When it is determined that the data movement is executable, the control unit 5 performs file copying, transmits the copied file including the additional information 43 to the partner server 2 (S59), and ends the process. However, when the control unit 5 determines that the data movement cannot be performed, a warning is displayed (S60).

  The operator acknowledges (permits) the data movement based on this warning display, for example, “the area of the destination server of the data movement destination is included in the refusal area. Do you want to allow data movement (OK)?”. When the designation operation is performed (S61), the control unit 5 copies the file and transmits the copied file including the additional information 43 to the partner server 2 (S59). When the operator performs a designation operation that does not approve data movement (S61), the control unit 5 ends the process. Thus, when the process is terminated, the other server 2 may be notified of this.

  In addition, in the said process S55, when the control part 5 determines with the execution server position information 41 not existing, it determines with the other party server position information 41A existing (S62). When the determination in the process S62 is affirmative or when the determination in the process S56 is negative, the control unit 5 displays a warning to that effect (S63).

  When the operator performs a designation operation for accepting the data movement based on the warning display “Is data movement OK?” (S64), the control unit 5 copies the file and includes the additional information 43. The copied file is transmitted to the partner server 2 (S59). When the operator performs a designation operation that does not approve the data movement (S64), or when the determination in the process S62 is negative, the control unit 5 ends the process. Thus, when the process is terminated, the other server 2 may be notified of this.

  The control unit 5 in the partner server 2 that has received the file copied in the process S59 (including the additional information 43) determines whether or not a file storage event based on the operation designated by the operator has occurred (in FIG. 4C). S65).

  In the information adding unit 30 notified from the control unit 5 that the file storage event has occurred, the reference unit 31 receives both the position information (partner server position information) 41A and the time information (current time) 42 from the storage unit 40. get. At this time, the acquired counterpart server position information 41A and time information 42 are “USA” and “2010/1/22 9:45:11”.

  The setting unit 32 includes counterpart server location information 41A and time information 42 acquired by the reference unit 31, and execution server location information (here, “Japan”) 41 and time information (here China) acquired by the control unit 5. The additional information 43 is added to the movement target data 44 based on the time (2010/1/21 10:21:25) that has moved from Japan to Japan (S66).

  FIG. 7 shows an example of the additional information 43 as the movement history added to the movement target data 44 in the process S66 when there is data movement and is finally saved. As shown in FIG. 7, the additional information 43 includes execution server location information (here, region “China”) 41 and time information (here, the time “2010/1 when moving to China” as past movement history. / 20 14:11:53 ") 42.

  The control unit 5 ends the process after the process of S66 or when no file save event occurs in S65.

[Effect of one embodiment]
In the computer system SYS described above, with respect to the movement target data 44 transmitted and received between the execution server 1 corresponding to the data movement source and the partner server 2 corresponding to the data movement destination through the network 3, the location area of the partner server 2 Whether or not data movement is possible can be determined in consideration of circumstances such as protection regulations (including countries).

  Further, when the movement target data 44 transmitted / received between the servers 1 and 2 is leaked, the additional information 43 including the location area and arrival time added to the movement target data 44 is referred to as a movement history, thereby leaking. Since the area can be specified, it is possible to strengthen data movement restrictions on the leaked area.

[Modification]
In the above-described embodiment, the data movement example in which the execution server 1 corresponding to the data movement source transmits the file copied as the movement target data to the partner server 2 corresponding to the data movement destination through the network 3 has been described. However, data transfer such as file transfer by FTP (File Transfer Protocol) may be used.

  In the above-described embodiment, the example of data movement performed between the first server computer (execution server) 1 and the second server computer (partner server) 2 has been described. It is not limited to this.

  Each process in the above-described embodiment may be performed by selecting and combining any plural or all of the processes.

  The processing in the above-described embodiment is provided as a computer-executable program, and can be provided via a recording medium such as a CD-ROM or a flexible disk, and further via a communication line.

[Others]
The following additional remarks are disclosed with respect to the above-described embodiment and modifications.

(Appendix 1)
The first computer of the data movement source that holds the movement target data is
Holding first location information indicating a location area of the first computer, a permitted area where data movement is permitted, and a refusal area where data movement is not permitted;
Comparing the first location information with the second location information indicating the location area of the second computer acquired from the second computer to which the data is moved through the network;
Based on the comparison result, it is determined whether or not the movement target data is permitted to move to the second computer.
A data movement restriction method that performs that.

(Appendix 2)
In comparing the first position information and the second position information,
A first determination that a location area of the first computer and a location area of the second computer are the same;
A second determination that a location area of the second computer is included in a rejection area of the first computer;
The data movement restriction method according to claim 1, wherein a third determination is made that a location area of the second computer is included in a permitted area of the first computer.

(Appendix 3)
The determination based on the comparison result includes the following four forms MD1, MD2, MD3, and MD4.

  MD1: In the first determination, when it is determined that the location area is the same, data movement is permitted.

  MD2: When it is determined in the first determination that the location areas are not the same, but in the second determination, it is determined that the area is not a refusal area, and in the third determination, it is determined that the area is a permitted area Allows data movement.

  MD3: If it is determined in the first determination that the location areas are not identical, and if it is determined in the second determination that the area is a rejection area, data movement is denied.

  MD4: In the first determination, it is determined that the location area is not the same, and in the second determination, it is determined that the area is not a refusal area, but in the third determination, when it is determined that the area is not a permitted area, Denies data movement.

(Appendix 4)
The data movement restriction method according to claim 1 or 3, wherein in the determination based on the comparison result, when data movement is permitted, the data to be moved is transmitted to the second computer.

(Appendix 5)
In the determination based on the comparison result, when the data movement is denied, a warning is displayed, and when the designation operation for permitting the data movement is performed by the operator based on the warning display, the movement target data is displayed. The data movement restriction method according to appendix 1 or 3, wherein: is transmitted to the second computer.

(Appendix 6)
The second computer that has received the data to be moved is
It is determined whether a storage event of the received movement target data has occurred,
When the storage event occurs, the second location information and current time information indicating the location area of the second computer, respectively, and the location of the first computer respectively acquired from the first computer The data movement restriction method according to claim 4 or 5, wherein additional information as a movement history including the first position information indicating an area and arrival time information to the first computer is added to the movement target data.

(Appendix 7)
A data source computer that holds data to be moved,
Means for holding first location information indicating a location area of the computer, a permitted area where data movement is permitted, and a denied area where data movement is not permitted;
Means for comparing the first position information with second position information indicating a location area of the other computer acquired from another computer to which data is to be moved through a network;
Means for determining whether to permit movement of the data to be moved to the other computer based on the comparison result;
A computer comprising:

(Appendix 8)
In comparing the first position information and the second position information,
A first determination that the location of the computer and the location of the other computer are the same;
A second determination that the location area of the other computer is included in the rejection area of the computer;
The computer according to appendix 7, wherein a third determination is made that the location area of the other computer is included in the permitted area of the computer.

(Appendix 9)
The determination based on the comparison result includes the following four forms MD1, MD2, MD3, MD4.
MD1: In the first determination, when it is determined that the location area is the same, data movement is permitted.
MD2: When it is determined in the first determination that the location areas are not the same, but in the second determination, it is determined that the area is not a refusal area, and in the third determination, it is determined that the area is a permitted area Allows data movement.
MD3: If it is determined in the first determination that the location areas are not identical, and if it is determined in the second determination that the area is a rejection area, data movement is denied.
MD4: In the first determination, it is determined that the location area is not the same, and in the second determination, it is determined that the area is not a refusal area, but in the third determination, when it is determined that the area is not a permitted area, Denies data movement.

(Appendix 10)
The computer according to appendix 7 or 9, further comprising means for transmitting the data to be moved to the other computer when data movement is permitted in the determination based on the comparison result.

(Appendix 11)
In the determination based on the comparison result, when data movement is denied, a means for displaying a warning;
The computer according to appendix 7 or 9, further comprising: means for transmitting the data to be moved to the other computer when a designation operation permitting data movement is performed by an operator based on the warning display.

(Appendix 12)
By transmitting the data to be moved to the other computer by the computer,
The other computer that has received the data to be moved is
It is determined whether a storage event of the received movement target data has occurred,
When the storage event occurs, the second position information and current time information indicating the location area of the other computer respectively held, and the first location information indicating the location area of the computer respectively acquired from the computer The computer according to appendix 10 or 11, which makes it possible to add additional information as a movement history including position information and arrival time information to the computer to the movement target data.

(Appendix 13)
To the data source computer that holds the data to be moved,
Holding first location information indicating a location area of the computer, a permitted area where data movement is permitted, and a denied area where data movement is not permitted,
Comparing the first location information with the second location information indicating the location area of the other computer acquired from another computer to which the data is moved through the network;
Based on the comparison result, it is determined whether or not to allow the movement target data to be moved to the other computer.
A data movement restriction control program that executes this.

SYS computer system 1 first server computer (execution server)
2 Second server computer (partner server)
3 Network 5 Control unit 10 Location information response unit 20 Location information collection unit 30 Information addition unit 40 Storage unit 41 Location information (execution server location information)
41A position information (partner server position information)
42 Time information 43 Additional information 44 Data to be moved

Claims (7)

The first computer of the data movement source that holds the movement target data is
The holding means holds first location information indicating a location area of the first computer, a permitted area where data movement is permitted, and a denied area where data movement is not permitted,
The comparing means compares the first location information with the second location information indicating the location area of the second computer acquired from the second computer to which the data is moved through the network,
A determination unit determines whether to permit the movement target data to be moved to the second computer based on the comparison result.
A data movement restriction method that performs that. In the comparison between the first position information and the second position information by the comparison means,
A first determination that a location area of the first computer and a location area of the second computer are the same;
A second determination that a location area of the second computer is included in a rejection area of the first computer;
The data movement restriction method according to claim 1, wherein a third determination is made that a location area of the second computer is included in a permitted area of the first computer. The data movement restriction method according to claim 2, wherein the determination by the determination means based on the comparison result includes the following four forms MD1, MD2, MD3, MD4.
MD1: In the first determination, when it is determined that the location area is the same, data movement is permitted.
MD2: When it is determined in the first determination that the location areas are not the same, but in the second determination, it is determined that the area is not a refusal area, and in the third determination, it is determined that the area is a permitted area Allows data movement.
MD3: If it is determined in the first determination that the location areas are not identical, and if it is determined in the second determination that the area is a rejection area, data movement is denied.
MD4: In the first determination, it is determined that the location area is not the same, and in the second determination, it is determined that the area is not a refusal area, but in the third determination, when it is determined that the area is not a permitted area, Denies data movement. In the determination by the determination means based on the comparison result, when data movement is denied, a warning is displayed, and on the basis of this warning display, when a designation operation permitting data movement is performed by the operator, claim 1 or 3 data movement limiting method according transmits the moving object data to the second computer by transmission means. The second computer that has received the data to be moved is
The determination means determines whether a storage event of the received movement target data has occurred,
When the storage event occurs, the second location information and current time information indicating the location area of the second computer, respectively, and the location of the first computer respectively acquired from the first computer The data movement restriction method according to claim 4, wherein additional information as a movement history including the first position information indicating a region and arrival time information to the first computer is added to the movement target data by an adding unit . A data source computer that holds data to be moved,
Means for holding first location information indicating a location area of the computer, a permitted area where data movement is permitted, and a denied area where data movement is not permitted;
Means for comparing the first location information with second location information indicating a location area of the other computer acquired from another computer to which data is to be moved through a network;
Means for determining whether to permit movement of the data to be moved to the other computer based on the comparison result;
A computer comprising: The data source computer that holds the data to be moved
Means for holding first location information indicating a location area of the computer, a permitted area where data movement is permitted, and a denied area where data movement is not permitted;
Means for comparing the first location information with second location information indicating a location area of the other computer acquired from another computer to which data is to be moved through a network;
Based on this comparison result, function as means for determining whether or not to allow the movement target data to be moved to the other computer,
Data movement restriction control program.

Images