JP5707250B2 - Database access management system, method, and program - Google Patents

Description

  The present invention relates to a technology of a computer system including a database (DB), and in particular, realizes prevention of unauthorized access, protection of personal information, and the like by control when a user (user) accesses data in a database of the computer system. For technology.

  In recent years, crimes due to unauthorized access to a DB of a computer system have occurred, and in order to prevent this, a method for managing and controlling access to a DB is required. For example, as a basic method, when accessing the DB of the computer system from the user terminal, it is confirmed whether the user is an accessible person (for example, user authentication with a WWW server), and only a specific user accesses the DB The method of permitting (data reference etc.) is mentioned.

  In particular, when personal information (for example, name and address) is included in data in a business DB or the like, it is necessary to take measures to prevent personal information from being stolen by unauthorized access to the DB. As a means for this, there is a technique for converting data into information that does not make sense in output by encryption or masking (masking) of DB data.

  As a prior art example related to DB access management / control for preventing unauthorized access, there is JP-A-6-314288 (Patent Document 1) ("Security System for Information Management System"). In Patent Document 1, in order to enable security according to an individual, the card owner is among the personal information over a plurality of items such as basic information, emergency information, and medical history information of the patient recorded on the information card. The access right of the access card can be set as a table so that the items that can be accessed for each patient are different, and the patient can view only the information of a predetermined item, and the information of other items cannot be viewed without authority, Is described.

  JP-A-2008-33411 (Patent Document 2) ("Personal Information Masking System", etc.) is an example of a prior art related to DB data information masking (blindfolding) processing. Patent Document 2 describes a technique for masking personal information from a sequential file including personal information based on a data structure, generation of test data for an operation test of the system, and the like. If a sequential file containing customer data is used as test data, a reliable test can be performed.For example, when outsourcing test work, customer data cannot be used as test data from the viewpoint of personal information protection, but test data For example, it is described that it is preferable to use data close to actual customer data because it is possible to realize a state close to the actual environment in the operation test.

  In Patent Document 2, a data item to be masked is displayed together with a masking method option, a masking target data item selection and a masking method selection input are accepted, and based on this, a character string of the masking target data item is handled. A means for generating a test file by applying a masking method for conversion is described. As masking processing (masking method), there is described processing for converting at least a part of a character string of a target data item into another character according to a predetermined conversion rule.

JP-A-6-314288 JP 2008-33411 A

  As a basic DB access management / control system, for example, in an open computer system including a DB, access to a DB (DB server or the like) is usually via a WWW server. For this reason, the WWW server becomes a breakwater for unauthorized access. For example, access to the DB is authorized / restricted by authentication of a user / terminal that has been accessed by a WWW server. However, there are access that breaks through and intrusions, and access by unauthorized users.

  Furthermore, since there is a problem such as information leakage in the handling of DB data for business and other purposes, even a user who can access the DB (authorized) basically has the attribute of the user (affiliation department) There is a need to block (prevent) references to personal information in DB data according to authority, access level, etc.

  In this case, as described above, for example, a technique for restricting access to items corresponding to personal information of DB data according to user attributes or the like (Patent Document 1 or the like), or data processing of the item is masked. Thus, it is possible to block the reference of personal information or the like by a technique (Patent Document 2 or the like) that makes the user invisible / unreadable.

  However, the above technique has problems in the following cases. Consider the case of developing an open-type computer system including the above-mentioned DB (as an example, a system including a product purchase history management DB). In this case, as described above (Patent Document 2), for example, the system developer can use the customer DB data for the development test, so that a more reliable test can be realized. There is a problem in using it from the viewpoint of protecting personal information (for example, a problem of possibility of taking out personal information by a developer).

  Therefore, personal information protection is performed by masking items corresponding to personal information in customer DB data and using the masked data (“mask data”) for testing and other purposes. To deal with information leaks.

  In the conventional example, when performing the masking process and the test, the masking is performed by executing a predetermined program (patch) on the data (including data corresponding to personal information) taken out from the customer DB by the person in charge. I was working to get the processed data. Then, the developer performs a test process using the mask data. As described above, there is a problem that it takes time and labor for mask processing.

  In addition, since the customer DB data is handled during the mask processing work by the person in charge, there is a possibility that information on items corresponding to personal information and the like may be in contact with the person in charge.

  In addition, when the mask processing has uniform contents, there is a problem that the mask data is difficult to handle or cannot be sufficiently tested depending on the test contents and type (data use application). For example, from the viewpoint of personal information protection, it is easy if the predetermined data items in the DB are completely masked so that they cannot be completely seen by the user, but the test processing result cannot be confirmed with the mask data. is there.

  Not only in the case of the above-mentioned test for system development, but also for various other data use applications, it is not possible to flexibly cope with uniform mask processing.

  In view of the above, a main object of the present invention relates to an information processing system that manages and controls access to a DB of a computer system including the DB, and provides a technique for solving the above-described problems. (1) Effective countermeasures against problems such as unauthorized access to DB data by users and leakage of personal information (especially the possibility of unauthorized take-out of DB data by users inside the organization including system developers, etc.) (2) Reduction of work of mask processing and testing, etc. (3) Information protection effect by realizing flexible mask processing according to multiple (various) data use applications (for example, test processing for system development) Provide a technology that can achieve a balance between the convenience of data use and the convenience of data use.

  A typical embodiment of the present invention is an information processing system (DB access management system) that manages and controls access to a DB of a computer system including the DB, and has the following configuration. To do.

  In the present invention, for the problems (purposes) as described in (1) to (3) above, (1) DB access control according to user / user attribute (for example, system developer) etc. (restriction of reference to data items) (2) Control of application (execution) of automatic mask processing according to user / user attribute etc. for DB data, (3) Multiple mask processing considering multiple (various) data usage purposes Has a means for flexibly setting / selecting functions.

  The system of this embodiment has the following configuration, for example. The DB access management system according to the present embodiment includes a computer system that performs processing to access a DB and retrieve data based on access from a user terminal, and the computer system allows the user to access the DB. A security box that realizes a processing function to be managed and controlled; and a security master that is setting information of the processing function of the security box. The security box includes a master setting unit, a user confirmation unit, and a mask processing unit. The master setting unit performs processing for setting information of the security master by an administrator, and the setting information is for reference restriction target data and target data in the DB data for each user or user attribute. Contains information defining the mask process to be applied. When the user accesses the DB by the user, the user confirmation unit refers to the access information and the security master information to perform a process of determining and confirming the state including the reference restriction of the user. . The mask processing unit performs a predetermined mask process on the data extracted from the DB by access by the user according to a state including the reference restriction of the user, and returns the masked data. Do. With the above configuration, the masked data is automatically used when the user uses the data in the DB.

  According to a typical embodiment of the present invention, (1) Problems such as unauthorized access to DB data and leakage of personal information by a user (particularly unauthorized removal of DB data by users inside the organization including system developers, etc.) Effective countermeasures), (2) reduction of labor for mask processing and testing, etc. (3) flexible according to multiple (various) data usage applications (for example, test processing for system development) By realizing the mask processing, it is possible to realize a balance between the effect of information protection and the convenience of data use.

It is a figure which shows the structure of the system (DB access management system) of one embodiment of this invention. It is a figure which shows the structural example of the process between APP server (business program) -DB server of FIG. It is a figure which shows the structure of the specific usage example (The example of a data utilization use) of the system of FIG. It is a flowchart which shows the process example of the security box in the system of this Embodiment. It is a figure which shows the DB data example of the system of this Embodiment, (a) is the original DB data example, (b) is the first example of DB data reference (after masking), (c) DB data reference ( A second example after masking is shown. It is a figure which shows the example of the setting information of the security master in the system of this Embodiment, (a) is a basic 1st table, (b) is a 2nd table regarding a mask rule, (c) is for every DB. The 3rd table regarding these mask rules is shown. It is a figure which shows the example of a mask process of each rule in the system of this Embodiment.

  Hereinafter, embodiments (DB access management system, method, program, etc.) of the present invention will be described in detail with reference to the drawings. Note that components having the same function are denoted by the same reference symbols throughout the drawings for describing the embodiment, and the repetitive description thereof will be omitted.

  The system according to the present embodiment (FIG. 1 and the like) automatically masks DB data according to the user / user attribute or the like as a control when a user (terminal) accesses (refers to) a DB. It has a processing function (security box 10) for performing a blindfolding process and responding. The target items included in the data retrieved from the DB are restricted by the masking so that the user cannot see or read the target items, thereby protecting personal information and the like. Use (for example, test processing) is enabled. As settings related to the processing function (security box 10), the administrator or the like can set contents such as reference restriction and mask processing according to the user / user attribute or the like (security master 50).

  In particular, the present system provides mask processing of a plurality of rules regarding mask processing (FIG. 1, 13A to 13C, etc.), and can be set flexibly. In particular, by setting and applying mask processing (rules) in relation to user attributes and data usage (for example, test processing for system development), effects such as personal information protection and convenience of DB data usage Can be balanced.

[System configuration]
FIG. 1 shows the configuration of the system (DB access management system) of the present embodiment. The entire system has a configuration in which a computer system 100, a user (U) terminal 200, a printer server / printer 300, and the like are connected via a network 90. The network 90 (the same applies to 91 and 92 in FIG. 3) indicates a communication means corresponding to the computer system, such as the Internet, a LAN, or a dedicated network.

  The computer system 100 is a system for a predetermined business that is normally operated by a customer (for example, a company or a local government). In the present embodiment, the computer system 100 is an open system (Web) system connected to the network 90.

  The computer system 100 includes elements such as a DB (database) 1, a DB server 2, an APP (application) server 3, and a WWW server 4, which are connected by communication means (not shown).

  The DB 1 is a relational database, for example, and stores predetermined data information (FIG. 5, which will be described later) managed by a customer on business. DB1 is held in the DB server 2 or other storage means. DB1 may be of any type, such as a network type DB or a hierarchical type DB. A plurality of DBs 1 and a plurality of physical arrangements may exist. The DB server 2 includes DB 1 and an existing (known technology) DB access processing unit 21 that manages access to DB 1, and a security box 10 and a security master 50 that are characteristic elements of the DB server 2.

  The DB access processing unit 21 performs access (operation) processing on the DB 1 by a predetermined method, for example, SQL (for example, a known relational DB management system). For example, it includes processing for extracting data of DB1 with the SELECT syntax. It is set in advance so that the DB access processing unit 21 and the security box 10 cooperate when the DB server 2 is operating (when accessing the DB 1).

  The APP server 3 includes a business program 31 and provides predetermined business processing (service processing) in cooperation with the DB server 2 and the WWW server 4 by processing of the business program 31. An example of processing contents of the business program 31 will be described later (FIG. 2). In the APP server 3 (business program 31), the DB1 data including the masked data (mask data) is referred to.

  The WWW server 4 provides service processing by a predetermined Web page or the like for access from the user terminal 200. The WWW server 4 includes a user authentication unit 41 (known technology), and determines whether the accessed user (terminal) is an authorized user (terminal) in the computer system 100 by processing of the user authentication unit 41. If the user (terminal) is not authorized, the access is denied.

  The terminal 200 used by the user (U) is a computer such as a general PC provided with a WWW browser or OS having a function of accessing the WWW server 4 via the network 90 (known technology). FIG. 1 illustrates only a terminal 200 of a user U1. The user (U) is, for example, an employee of a company that operates the computer system 100 or an end user who accesses a service (such as a web page) provided by the computer system 100.

  The user (U) terminal 200 includes a DB data utilization unit 60 and a storage unit 70. The DB data use unit 60 is configured by a predetermined processing unit that uses the data of the DB 1 corresponding to the user's data use application, and includes or is connected to the storage unit 70. The storage unit 70 is configured by a storage unit such as a memory, a storage, or a portable medium that stores DB1 data (DB data 80). For example, the DB data utilization unit 60 stores DB1 data (DB data 80) acquired / referenced from the computer system 100 based on a user operation in the storage unit 70 and displays it on the display screen of the terminal 200. . As another example, the data utilization unit 60 performs a predetermined program process on the acquired DB1 data, stores the result in the storage unit 70, and outputs the result.

  The printer server / printer 300 is used when the DB1 data (DB data 80) is printed based on an operation from the user terminal 200 and output as a form 301 as an example of use (output) of DB1 data. Is done. The other DB1 data (DB data 80) is used and output according to the user's use of data.

[Security Box]
In FIG. 1, a configuration example of the security box 10 is as follows. The security box 10 includes a master setting unit 11, a user confirmation unit 12, and a mask processing unit 13. Specifically, the mask processing unit 13 includes a plurality of rule mask processing units (programs) such as a rule A processing unit 13A, a rule B processing unit 13B, and a rule C processing unit 13C. The processing function of the security box 10 can be realized by, for example, processing of executing the program of the present embodiment in the DB server 2 (hardware / software).

  The master setting unit 11 performs a process of setting information of the security master 50 based on an operation of the administrator U0, for example. The administrator U0 can appropriately set the information necessary for the security master 50 using the master setting unit 11. The setting interface is, for example, a web page screen. For example, a web page screen for setting provided by the master setting unit 11 is accessed from the terminal of the administrator U0. On this screen, it is possible to display information for setting the security master 50, for example, table information as shown in FIG. 6 to be described later, and update and save the setting by inputting each value by the operation of the administrator U0. .

  The user confirmation unit 12 refers to the security master 50 (FIG. 6) and the like, confirms the state of reference restriction according to the accessed user / user attribute (department / position), etc., and applies according to the reference restriction. A process for confirming the mask process (rule) to be performed is performed (described later, FIG. 4). As a confirmation of the reference restriction (reference restriction presence / absence and restriction item), the user / terminal can refer to which range (item, etc.) and which range (item, etc.) cannot be referred to in the data to be accessed in DB1. Check if you want to.

  The mask processing unit 13 refers to the confirmation state by the user confirmation unit 12 and refers to the security master 50 or the like, and applies to the data retrieved from the DB 1 by the DB access processing unit 21 of the corresponding rule applied to the user. The mask processing is executed using the corresponding rule processing unit (13A or the like), and processing for returning mask data of the processing result is performed (described later, FIG. 4). For example, when applying the rule A mask process, the mask process by the rule A processing unit 13A is performed. In the mask processing, data values such as character strings in the reference restriction target area corresponding to the access target item of DB1 are processed in accordance with a predetermined rule (algorithm or the like) so that it cannot be seen or read by the user. The converted data (mask data) is generated.

[Security Master]
A configuration example of the security master 50 is as follows using FIG. The setting information of the security master 50 includes, for example, a first table T1 in FIG. 6A, a second table T2 in FIG. 6B, and a third table T3 in FIG. In the security master 50, by setting a range (item or the like) that can be accessed by each user in the data of the DB1 or a range (item or the like) that is subject to reference restriction, unauthorized access prevention, personal information protection, etc. Plan.

  In the first table T1 of FIG. 6A, the items are (a) user name, (b) user attribute, (c) reference restriction presence / absence, (d) mask rule, (e) restriction item 1, (f ) Restriction item 2, (g) Restriction item 3,... In the first table T1, for example, reference restriction presence / absence and restriction items, application mask rules, and the like are set in association with each other or for each user attribute.

  The user name “a” is identification information of the user (U), and a user who is basically granted access by the computer system 100 is registered. The user attribute b is information indicating the department or position to which the organization belongs in the present embodiment, the user group, the user type, or the like as the attribute of the user. For example, there are “administrator” (U0 compatible), “developer A”, “developer B”, and the like. Further, the user attribute may be set as a close concept such as the job / work of the user.

  The reference restriction presence / absence of c is flag information indicating the presence / absence of reference restriction of the user. 0 indicates that there is no reference restriction, and 1 indicates that there is a reference restriction. The mask rule of d is information for designating mask processing (its rule) to be applied when there is a reference restriction (1) (points to the information in the second table T2 in FIG. 6B). When there is no reference restriction (0), it is not set (blank). Restriction items such as “restriction item 1” in e are information for specifying items subject to reference restriction in the case of reference restriction (1), and a plurality of restriction items can be set.

  For example, in the record of user U1 (developer A) in T1, there is a reference restriction, and it is set that the items such as “name” and “address” in the data of DB1 are restricted by applying the rule A mask processing. ing.

  In the second table T2 of FIG. 6B, items include (a) mask rule, (b) contents, (c) data use application, (d) mask position, and the like. In T2, information such as the contents of the mask rule of T1 and data usage is set in association with each other.

  The mask rule of a is the same as d of T1, but is information for designating mask processing (its rule). In this example, there are rule A, rule B, rule C, rule D, and the like. For example, the rule A indicates a mask process (program) by the rule A processing unit 13A of FIG. The content of b is information indicating the content of the mask rule, and is the name of the corresponding mask processing algorithm (program, etc.), identification information, summary description, etc. (details will be described later, FIG. 7). Not only the rules A to D, but also a plurality of mask rules can be set as appropriate by preparing a corresponding rule processing unit program or the like.

  The data use application of c is information indicating the assumed data use application when the user (user attribute or the like) uses DB1 data including data (mask data) masked by the rule. For example, in this embodiment, there are tests A, B, C, etc. for system development. For example, “test A” is processing performed by the test A processing unit 62A of FIG. Suitable mask processes (rules) can be set according to these different contents / types of test processes (data use applications). It is also possible to add or adjust a new rule mask process according to the data usage (for example, new test contents).

  The mask position of d is information for arbitrarily designating a position (for example, what number character string) to be masked in a mask target area (item or the like). In the present embodiment, in order to realize flexible mask processing, mask presence / absence can be determined in user units, item units, individual DB item designation units, and the like, and a mask position can be arbitrarily determined as in d. it can. For example, the first, third, and fifth characters in rule B and the second, fourth, sixth, eighth, and tenth characters in rule D are replaced with designated symbols (asterisks and percentages).

  When setting the security master 50, the administrator U0 considers, for example, data use applications (for example, tests A, B, and C for system development) according to user attributes (for example, developers A, B, and C). Then, information such as T1 reference restrictions and application rules is set. As described above, the security master 50 has a configuration in which reference restrictions, mask rules, and the like can be set flexibly and in detail in accordance with individual users or user attributes, etc., and units of data usage (test processing, etc.). is there. This makes it easier to use data than before while protecting personal information when using data (testing, etc.).

  Note that the security master 50 is not limited to the above-described setting mode, and it may be possible to set user restrictions, access levels, etc., and to set reference restrictions, application rules, etc. for each unit. Further, information may be defined in units of a predetermined reference restriction or application rule set (for example, information corresponding to the setting of the record of the user U1), and may be set by specifying the unit. Furthermore, the same mask rule (d) is not necessarily applied to all restriction items (e, f, g, etc.), and it may be possible to set different mask rules for each restriction item. Good.

  In addition, for example, a user's job / operation can be set with user attributes, and an item corresponding to the job / business can be set. The item according to the job / business is not automatically restricted (masked), and the item Other items may be automatically subject to reference restriction (masking).

  A table T3 in FIG. 6C is another setting example. This is a case where a plurality of DBs 1 exist as targets ((h) DB name: address master, order master), and different rules (A, B) are set for each DB.

[Basic processing]
The basic processing contents including the user confirmation processing in the system configuration of FIG. 1 are as follows. First, information (for example, FIG. 6) is previously set for the security master 50 by the administrator U0 using the master setting unit 11 of the security box 10. In addition, the contents of the setting information of the security master 50 can be maintained (updated) as appropriate.

  For access from the terminal 200 of the user, the access user / terminal is authenticated by the user authentication unit 41 in the WWW server 4 (known technique). After passing the user authentication of the WWW server 4, the DB server 2 is accessed via the business program 31 of the APP server 3 or directly from the WWW server 4, thereby referring to the data in the DB 1. At that time, the DB server 2 through which the access is made is always secure when accessing the DB 1 so that an unauthorized user / terminal that breaks through the WWW server 4 (user authentication) can also handle the access to the DB 1. It is preset (configured) to pass (cooperate) with the box 10. The DB access processing unit 21 that has received a request / instruction for accessing DB 1 cooperates with the processing of the security box 10 based on the above settings.

  In the processing of the security box 10 to be linked, based on the setting information of the security master 50, the user confirmation unit 12 confirms the state of reference restriction according to the user / user attribute and the like, and the DB access processing unit 21 extracts it from the DB1. The mask processing unit 13 performs a mask process corresponding to the state such as the reference restriction on the data to be responded.

  In the present embodiment, the security box 10 (user confirmation unit 12) refers to the table (FIG. 6) of the security master 50 for access requests / commands to the DB1, and the following (A1) to (A4) Judgment / confirmation is performed including these points (also corresponding to FIG. 4).

  (A1) Whether the user (/ user attribute, etc.) is a person who can access DB1 (basically authorized user registered in the security master 50) (corresponding to step S14 in FIG. 4) .

  (A2) Whether the user (authorized user) has a reference restriction on the data in DB1 (S16).

  (A3) What is the specific target data (such as an item corresponding to personal information) in DB1 that falls under the reference restriction (S19).

  (A4) What is the applicable mask rule (type) according to the reference restriction and target data (restriction item) (S20).

  The security box 10 (mask processing unit 13 or the like) performs, for example, the following (B1) to (B4) for the data extracted from the DB 1 based on the confirmation / judgment of the state such as the reference restriction (FIG. 4). Also corresponds).

  (B1) If the user (/ user attribute, etc.) is not an accessible person, the DB access is denied and an error is responded (corresponding to step S15 in FIG. 4).

  (B2) If the user is an accessible person and there is no reference restriction, data (such as the target item) retrieved from DB1 is responded without mask processing (data without mask) (S17).

  (B3) If the user is an accessible person and has a reference restriction, the corresponding rule mask is applied to the data (access target item, etc.) retrieved from DB 1 in accordance with the reference restriction item and the application mask rule. Processing is performed and the data (masked data) is returned (S21).

  For example, as shown in FIG. 6, the user U1 (developer A) has reference restrictions, the reference restriction items are “name” and “address”, and the applied mask rule is rule A (by the rule A processing unit 13A). Then, mask data as shown in FIG. 5B is obtained and responded.

  (B4) Another example of B3. Similarly, when the user is an accessible person and is a user with a reference restriction different from B3, the user is retrieved from DB1 according to the content of the reference restriction. Data in which the mask processing of the corresponding rule is applied to the received data is returned.

  For example, as shown in FIG. 6, the user U2 (developer B) has a reference restriction, the reference restriction item is “name”, the application mask rule is rule B (by the rule B processing unit 13B), and FIG. Mask data such as (c) is obtained and responded.

[DB access flow]
In FIG. 1, the outline of the flow at the time of DB access is as follows (s1 etc. indicate the procedure). For example, the user U1 accesses the computer system 100 from the terminal 200, uses the service, and refers to data retrieved from the DB1.

  (S1) Access (login, service request, etc.) from the terminal 200 of the user U1 to the WWW server 4 via the network 90. The access request is accompanied by identification information such as a user ID or a terminal ID (known technique).

  (S2) The WWW server 4 provides a Web page, authenticates the access user (terminal) using the user authentication unit 41, and if the user is not authorized (terminal), the WWW server 4 Stop the access.

  (S3) After passing the user authentication, the WWW server 4 accesses the APP server 3 to provide a predetermined service process (business process), for example.

  (S4) The APP server 3 provides predetermined service processing (business processing) by processing of the business program 31 for access from the WWW server 4 (details will be described later, FIG. 2). Here, it is assumed that the service processing (example) includes reference to DB data (mask data) (for example, display on a Web page screen). The business program 31 includes an instruction for accessing (referring to) the data in the DB 1. If there is such a command, the APP server 3 (business program 31) accesses the DB server 2. Note that the business program 31 is a program in which normal business processing is implemented, and is not a masking program and does not generate a masking program here.

  (S5) When the DB server 2 receives access from the APP server 3 (business program 31), the DB access processing unit 21 performs access processing to the DB 1 in the past, but in the present embodiment, Before the access processing to DB1, it cooperates with the processing of the security box 10.

  (S6) Based on the cooperation from the DB access processing unit 21, the security box 10 executes a predetermined process at the stage immediately before the DB access (when the DB access is requested). In the present embodiment, the user confirmation unit 12 confirms a state such as a reference restriction of the access user while referring to the security master 50 or the like. When there is a reference restriction, mask processing is performed by the mask processing unit 13 on the data extracted from DB1 below, and when there is no reference restriction, it is not performed.

  (S7) After the processing in the security box 10, the DB access processing unit 21 of the DB server 2 executes processing such as data reference based on the command for the DB1. For example, the SQL SELECT syntax is used, and the target data (such as the item specified by the instruction) is extracted from DB1.

  (S8) The DB access processing unit 21 of the DB server 2 cooperates with the security box 10 and cooperates with the security box 10 to deliver the data extracted from the DB 1 at s7.

  (S9) The security box 10 executes a predetermined process at a stage immediately after the DB access (at the time of DB access response). In the present embodiment, in particular, when there is a reference restriction in s6, the mask processing unit 13 performs mask processing with a rule corresponding to the user while referring to the security master 50 or the like. Based on the table (FIG. 6), the application mask rule corresponding to the user / user attribute or the like is confirmed, and the mask processing by the rule processing unit (13A or the like) corresponding to the application mask rule is activated and executed. Thereby, data (mask data) obtained by performing mask processing on records and items corresponding to the reference restriction in the DB1 data is obtained.

  (S10) When the reference restriction is present, the DB access processing unit 21 of the DB server 2 obtains the mask data (DB reference data) of s9 and responds to the requesting APP server 3 (business program 31).

  (S11) The APP server 3 (business program 31) reflects the mask data (DB reference data) acquired from the DB server 2 in the service process. The same processing as described above is repeated for each DB access instruction. The APP server 3 (business program 31) responds to the WWW server 2 with the result information of the service processing (for example, the DB data reference result including the mask data).

  (S12) The WWW server 4 transmits the Web page screen (update data) including the service processing result information (DB data reference result including the mask data) acquired from the APP server 3 via the network 90 to the terminal of the user U1. Respond to 200.

  (S13) The terminal 200 (data utilization unit 60, storage unit 70) of the user U1 acquires the Web page screen (update data) and displays it on the display screen. Thereby, the user U1 can see the DB data reference result including the mask data on the Web page screen. Further, for example, the data use unit 60 and the storage unit 70 can execute processing for using predetermined data using the DB data 80 including the mask data, and save and output the result.

[Processing flow]
An example of the processing flow of the security box 10 will be described with reference to FIG. 4 (S10 and the like represent processing steps).

  (S10) The security box 10 accepts a DB access request or the like in cooperation with the DB access processing unit 21. The DB access request is, for example, an instruction for referring to data of a specified record / item from the table of DB1.

  (S11) The security box 10 decodes the DB access request information in S10 and decomposes it into, for example, user information and access target information. The user information is information such as a user ID / terminal ID. The access target information is, for example, information such as records and items that are targets of data reference in DB1.

  (S12) If the DB access request information is read end (Y), the process proceeds to S24. If the read is not complete (N), the process proceeds to the next S13.

  (S13) The user confirmation unit 12 refers to the read information (such as the user information of the DB access request) and the information in the table of the security master 50 (FIG. 6), and in the subsequent steps, the above-described (A1 to A4 etc.) Judgment and confirmation processing such as reference restrictions is performed.

  (S14) The user confirmation unit 12 first determines whether or not the access user is a DB accessible person (A1). In the present embodiment, looking at the user information of the DB access request, if the corresponding user is registered in the item “user name” (a) in the table T1 of FIG. 6, it is determined that the user can access the DB. If it is not accessible (N), the process proceeds to S15. If it is accessible (Y), the process proceeds to the next S16.

  (S15) If the person is not an accessible person (N), the security box 10 returns an error indicating that the DB access is impossible, as in B1, and returns to the first (S10).

  (S16) Next, in S16, the user confirmation unit 12 determines whether or not the user has reference restrictions (A2). In the present embodiment, it can be confirmed by looking at the flag value of the item “reference restriction presence / absence” (c) in the table T1 of FIG. When there is no reference restriction (0) (N), the process proceeds to S17, and when there is a reference restriction (1) (Y), the process proceeds to the next S18.

  (S17) When there is no reference restriction (0) (N), as for the data retrieved from DB1 by the DB access request, data without mask processing is returned as it is, and the process returns to the first (S10).

  (S18) Next, the user confirmation unit 12 performs the following steps while referring to the access target information of the DB access request and the information in the table T1 of the security master 50 for the reference restriction (1) of the user. , Processing related to the data value of the item to be accessed is performed.

  (S19) The user confirmation unit 12 confirms whether or not the item to be referred to in the access target of the user corresponds to the reference restriction. In the present embodiment, the value of each “restriction item” (e, etc.) in the table T1 in FIG. 6 corresponds to the reference restriction. If the target item is a reference restriction item (Y), the process proceeds to S20, and if it is not a reference restriction item (N), the process proceeds to S22.

  (S22) In S22, the data value of the target item is left without mask processing (data without mask).

  (S20) In S20, a mask rule to be applied to the user (/ user attribute, etc.) and the target item is determined (A4). In the present embodiment, this can be confirmed by looking at the “mask rule” (d) in the table T1 of FIG. In the present embodiment, mask processing (rule application) can be performed in user units, DB units, item units, and the like.

  (S21) In S21, the mask processing unit 13 uses the rule processing unit (13A or the like) corresponding to the application rule of S20 to apply the corresponding rule to the data value of the reference restriction target item (mask processing target area). The mask processing is performed, and the masked data as a result is obtained.

  (S23) In S23, the masked data in S21 (item unit) or the unmasked data in S22 (item unit) is returned to the DB access processing unit 21.

  (S24) In S24, the security box 10 performs a predetermined end process and returns the process to the DB access processing unit 21.

  In addition to the processing example of FIG. 4, for example, a process of referring to a plurality of item data of a record is repeatedly performed for each item data (S19 to S22, etc.) in the security box 10, and the result (masked data / no mask) DB reference data including data) may be collectively returned to the DB access processing unit 21.

[Example of processing between APP server and DB server]
A processing example between the APP server 3 (business program 31) and the DB server 2 (DB access processing unit 21) corresponding to the s4 to s11 and the like will be described below with reference to FIG. The APP server 3 has the contents as shown in FIG. 2 for each access from the WWW server 4 based on the access from the terminal 200 (for example, corresponding to a request for referring to a plurality of records (records) in the DB 1). The business program 31 is processed. The business program 31 describes logic of predetermined service processing (business processing). The business program 31 includes a DB connection command (C1), a repeat start command (C2), a DB access command (C3), a read area save (C4), a repeat end command (C5), and the like. The DB access instruction (C3) is an instruction for referring to data (specified record, item, etc.) of DB1. These instructions are described using, for example, SQL. For example, in a repeat instruction (C2 to C5), a plurality of records (records) are referred to.

  If there is a DB connection command (C1) during processing of the business program 31, a corresponding request / command is generated from the APP server 3 (business program 31) to the DB server 2 (DB access processing unit 21). Upon receiving the request, the DB access processing unit 21 performs connection processing (CONNECT) to DB1.

  When there is a DB access command (C3) (for example, a command for referring to data of a specified record / item) in the repeat command (C2 to C5), each time the DB server 2 (DB access processing unit 21) is requested. The corresponding request / instruction is generated. In response to this request, the DB access processing unit 21 performs a process of cooperation with the security box 10 (user confirmation), and then requests the DB 1 for the requested access process (for example, referring to data of a specified record / item). ) Is performed using, for example, the SQL SELECT syntax, and as a result, data retrieved from DB1 is obtained. Then, the DB access processing unit 21 performs cooperation processing with the security box 10 to obtain data (mask data) on which the necessary mask processing is performed on the corresponding item of the data in the DB 1, and then the mask data is stored. Responds to the APP server 3 (business program 31).

  The access process to the DB 1 as described above is repeated for each record reference, for example. After executing a series of processing of the business program 31, the APP server 3 returns the result information to the WWW server 4, and further responds from the WWW server 4 to the user terminal 200. Although the items in DB1 are not mask data (mask-processed data), according to the present technology, when DB1 data is referred to, the mask data (the mask processing method follows the designation of the security master 50) is referred to.

[Usage example]
Next, with reference to FIG. 3 and the like, a case of performing a system development test process and the like will be described as an example of use of the system of the present embodiment and an example of use of data in DB1. In FIG. 3, the upper side shows the first computer system 101 or the like that is the operating environment for normal operation of the customer, and the lower side is the second computer system that is a system development environment for the first computer system 101. 102 etc. are shown. Basic components are the same as in FIG.

  The first computer system 101 includes a DB 1a, a DB server 2a, an APP server 3a, a WWW server 4a, and the like, similar to the elements in FIG. For example, the security box 10 and the security master 50 are provided in the DB server 2a. The DB 1a is original complete data and does not include mask data (a specific example is FIG. 5A). The business program 31 of the APP server 3a refers to mask data (online inquiry and data downloading). The terminal 201 includes a DB data use unit 61 and a storage unit 71 for using data in the DB 1a, and can use and store DB data 81 (including mask data) extracted from the DB 1a. The user U1 is, for example, the developer A on the second computer system 102 side, and uses the terminal 201 for the operation of extracting the data (81) of DB1 for system development (note that the extraction operation is performed in the table of FIG. 6). May be performed by other (registered) personnel registered with The user U1 (developer A) retrieves the data in the DB 1a of the computer system 101 from the terminal 201 in the same manner as described above (FIG. 1 etc.), and at that time, the mask data is automatically obtained by the function of the security box 10 (masking The mask data can be referred to without generating a program) and stored in the storage unit 71 as DB data 81 (including mask data).

  The second computer system 102 includes a DB 1b, a DB server 2b, an APP server 3b, a WWW server 4b, and the like, similar to the elements in FIG. For example, 2b, 3b, 4b, etc. are development targets. The second computer system 102 (DB server 2b) need not include the security box 10 or the like. In the second computer system 102, the DB 1b uses the data (81, 82) extracted from the first computer system 101, and therefore includes mask data. There may be a plurality of APP servers 3b (business program 31) such as # 1 (31A) and # 2 (31B). For example, the APP server # 1 (31A) outputs mask data, and the APP server # 2 (31B) references mask data (of course, reference is possible without mask processing).

  The user U 1 (developer A) accesses the second computer system 102 from the terminal 202. The terminal 202 of the user U1 includes a data use unit 62 and a storage unit 72 for using data stored in the DB 1b. For example, the user U1 (developer A) uses the DB data 81 extracted from the DB 1a in the first computer system 101 and automatically masked and stored in the storage unit 71 as the terminal of the user U1 of the second computer system 102. The data is moved / copied into the storage unit 72 of 202 to obtain DB data 82. The movement / copying of the DB data takes a form according to the use of the data, such as a form in which the DB data 81 is stored and carried in a storage medium, or a form in which the DB data 81 is transferred via the network 90. Also, as shown in FIG. 6, it is possible to arbitrarily set the mask position and change the mask character (replacement symbol).

  The data utilization unit 62 includes a test A processing unit 62A, in particular, as an example. The test A processing unit 62A uses the DB data 82 to perform a specific test A process for system development. Similarly, although not shown, the test B processing unit 62B provided in the terminal of another user U2 (for example, developer B) performs processing of another specific test B for system development. Similarly, a plurality of users U (not shown) may be connected to each other by a terminal and may perform the same or different data use processing (test processing or the like).

[DB data]
FIG. 5A shows an example of a table of original data stored in DB1. This table is a case of managing record information on the purchase of a product by a customer at a store or EC site (product purchase history management DB). This table has items such as a primary key, a secondary key, a record classification, a name, an address, a TEL (telephone number), a purchased product, a model name, and other various items.

  FIG. 5B is a first example of a result of referring to data for the table of FIG. 5A of DB1. For example, it is a case where the designated item shown in the drawing is referred to for access to DB1 by the user U1 (developer A). Among the items of data extracted from DB1, based on the setting of the security master 50 (for example, corresponding to the setting of the record of the user U1 in FIG. 6A), the items “name” and “address” corresponding to the reference restriction The data after the rule A mask processing (defined by rule A in table T2 in FIG. 6B) is performed.

  FIG. 5C is a second example of a result of referring to data for the table of FIG. 5A of DB1. For example, it is a case where the designated record shown in the drawing is referred to for access to DB1 by the user U2 (developer B). Among items of data extracted from DB1, rule B is set for the item “name” corresponding to the reference restriction based on the setting of the security master 50 (for example, corresponding to the setting of the record of the user U2 in FIG. 6A). The data after the masking process (defined by rule B of table T2 in FIG. 6B) is performed. In FIG. 5C, the mask position (d of T2) is 1, 3, and 5, and the mask character (replacement symbol) is an asterisk (*).

[Mask processing]
FIG. 7 shows an example of contents of mask processing of each rule corresponding to the table T2 of FIG. 6B and each rule processing unit of FIG.

  In the mask processing of rule A by the rule A processing unit 13A, the content (for example, program name) is “continuous asterisk”. The processing logic of rule A is to replace (fill in) all (continuous) characters in a mask target area (for example, items) corresponding to the reference restriction with a predetermined symbol, for example, an asterisk (*).

  For example, when the data value of the item “name” specified by “restricted item 1” of T1 is the character string “Suzuki_Taro” (“_” is a space), the data value after replacement (masked data) is a character. It becomes the column “****”.

  The content of the mask processing of rule B by the rule B processing unit 13B is “partial asterisk”. The processing logic of rule B is to partially replace characters in the mask target area with a predetermined symbol, for example, an asterisk (*). For example, the first, third, and fifth characters are replaced by one character. As indicated by T2 in FIG. 6, it is possible to arbitrarily set the mask position (d) and change the mask character (replacement symbol). For example, the value “Suzuki_Taro” before masking becomes the value “* wood * thickness *” after masking.

  The rule C masking process by the rule C processing unit 13C is “unspecified alphanumeric character”. The processing logic of rule C is to replace all characters in the mask target area with unspecified (random) characters. The replacement character is, for example, an alphanumeric character. For example, the value “Suzuki_Taro” before masking becomes the value “ABCDE” after masking. Further, as shown in FIG. 6C, even if the item (restriction item) is, for example, the same “address”, the mask process can be changed for each user or DB.

  Details of the rules (processing logic), mask target areas, replacement symbols, and the like can be appropriately changed using the master setting unit 11. For example, a program such as the rule A processing unit 13A can be added or updated. Various other rules (for example, shifting a character code value to convert it into another character, etc.) can be set as appropriate according to the data use application. Further, as shown by T3 in FIG. 6C, for a user who is not individually designated (set) on the table, a predetermined rule (for example, A) is set for the target item as indicated by the “other” record. The mask can be set to be automatically executed.

[Relationship between mask processing (rules) and data usage (user attributes, etc.)]
In this system, by using the master setting unit 11 and the security master 50 (FIG. 6), it is possible to flexibly set the correspondence between the mask process (rule) and the data usage (user attribute, etc.). For example, as data utilization applications, there are tests A, B, C, etc. for system development (FIG. 3). The mask processing of the applied rule can be set differently for each of these various test processes. For example, in the table of FIG. 6, test A by developer A is associated with rule A as a data use application, and test B by developer B is associated with rule B. For example, the rule A mask process is a process for generating mask data suitable for the test A, and the rule B mask process is a process for generating mask data suitable for the test B. That is, since mask data suitable for data usage (various tests) is automatically obtained, it is possible to obtain an effect of high convenience in data usage, such as easy testing while realizing protection of personal information.

  Similarly, it is possible to set reference restrictions and application rules (mask processing) for different data usage applications, not limited to system development tests.

  Further, for example, in the case of rule A in FIG. 7 and the like, in the mask data, all characters in the target area are hidden with asterisks (*), so that, for example, names are completely invisible and protected. For example, depending on the content of the test process, there may be an inconvenience that it is difficult for a user (developer or the like) to visually recognize (confirm) the processing result of the mask data. Even in such a case, in this system, it is possible to adjust the reference restriction and the rule setting according to the contents of the data use application (test processing or the like). For example, the rule A is suitable for the test A, and the rule B is suitable for the test B, so that it can be set with an effective relationship. Thereby, when using the mask data by the user, the balance between personal information protection and convenience can be made appropriate.

[Effects and modifications]
As described above, according to this embodiment, (1) problems such as unauthorized access to DB1 data and leakage of personal information by the user due to control of reference restriction and mask processing according to user / user attributes, etc. It is possible to realize an effective countermeasure against (especially the possibility of unauthorized take-out of DB data by users inside the organization including system developers). (2) It is also possible to reduce the labor of mask processing and testing. In the conventional example, the work of obtaining mask data by separately processing the data extracted from the DB is necessary. However, such work is unnecessary / reduced, and masking (blindfolding) of personal information items and the like. Can be easily realized. (3) The effect of information protection and the convenience of data use by realizing flexible mask processing (mask processing of multiple rules) according to multiple (various) data usage applications (for example, test processing for system development) A balance with the effects of can be realized.

  Further, in the conventional example, when DB data is masked by a separate program process, the data information of the corresponding restriction item (mask target) is touched by the person in charge of the work. On the other hand, in the present embodiment, since the data already masked is obtained when the data is extracted from the DB 1 side and the data is returned to the business program 31 or the like, the data information corresponding to the eyes of the user (person in charge) is obtained. Can be avoided at all, that is, the effect of protecting personal information is high.

  Further, this mask process is not an encryption process, and the original data cannot be obtained by decrypting the masked data itself extracted from DB1. Therefore, it is highly effective as an information leakage countermeasure.

  In Patent Document 2, it is necessary to generate a masking program, and the mask target input is a sequential file. On the other hand, according to the present invention (this embodiment), it is possible to directly mask when generating a DB without generating a masking program (masking is possible without generating a masking program). In addition, there is an advantage that the mask target input can be directly performed on the DB (can be masked without using a sequential file).

  As mentioned above, the invention made by the present inventor has been specifically described based on the embodiment. However, the present invention is not limited to the embodiment, and various modifications can be made without departing from the scope of the invention. Needless to say.

  For example, the access management system is not limited to DB access management but may be a similar access management system for other documents and files. Further, the types of mask processing may be expanded, and image processing may be used instead of text processing. Further, for example, the position where the security box 10 or the like is provided is not limited to the DB server 2 but may be another device, or a dedicated server may be provided. As described above, it is only necessary to configure so that the process of the security box 10 is always performed when accessing the DB1.

  The present invention can be used for a data access management system such as a DB, a system development system, and the like.

  DESCRIPTION OF SYMBOLS 1 ... DB, 2 ... DB server, 3 ... APP server, 4 ... WWW server, 10 ... Security box, 11 ... Master setting part, 12 ... User confirmation part, 13 ... Mask processing part, 13A ... Rule A processing part, 13B ... Rule B processing unit, 13C ... Rule C processing unit, 21 ... DB access processing unit, 31 ... Business program, 41 ... User authentication unit, 50 ... Security master, 60, 61, 62 ... Data utilization unit, 70, 71, 72: storage unit, 100, 101, 102 ... computer system, 200, 201, 202 ... terminal, 300 ... printer server / printer, 301 ... form.

Claims (5)

A database access management system comprising a computer system that performs processing for accessing a database and retrieving data based on access from a user terminal,
The computer system includes a security box that realizes a processing function for managing and controlling access to the database by the user, and a security master that is setting information of the processing function of the security box,
The security box includes a master setting unit, a user confirmation unit, and a mask processing unit,
The master setting unit performs processing for setting information of the security master by an administrator, and the setting information is for reference restriction target data and target data in the data of the database for each user or user attribute. As information for specifying the mask processing to be applied, information on the user or user attribute, information on presence or absence of the reference restriction for each user or user attribute, information on a database and items subject to the reference restriction, and a plurality of information A mask process for each rule, information for specifying a mask process to be applied to an item of the database subject to the reference restriction, and a plurality of each related to the mask process for each of the plurality of rules Data usage or user attributes, including the system developer as the user attributes. The data usage includes a plurality of test processes for system development, and includes a mask process of rules to be applied to the test process, and the contents of the mask process are masks in the area of the restriction target item Including information specifying the position and information specifying the character after masking,
The user confirmation unit refers to the access information and the security master information when the user accesses the database, includes a state including the reference restriction of the user, and uses the data of the user. Or, according to the user attribute, perform the process to determine and confirm the mask process of the rule to be applied ,
The mask processing unit includes a rule processing unit that performs mask processing of each of a plurality of rules , and is predetermined according to a state including reference restriction of the user with respect to data extracted from the database by access by the user. , Perform the process of returning the masked data,
The database access management system according to claim 1, wherein the masked data is automatically used when the user uses the database data. The database access management system according to claim 1,
The security box is based on information of the security master,
Regarding a request for access to the database from the terminal of the user,
It is determined whether or not the user is an accessible person, and if it is not an accessible person, a process of making an inaccessible error,
A process for determining whether or not there is a reference restriction of the user, and in the case of no reference restriction, a process of responding as it is without mask processing;
Determining the reference restriction target data of the user, and if the access target of the request is the reference restriction target data, performing a process of responding to the masked data of the target data. Database access management system. The database access management system according to claim 1,
The computer system includes:
A WWW server device that receives access from the user's terminal;
An application server device that is accessed from the WWW server device and provides processing by a business program;
A database server device that is accessed from the application server device and performs processing for accessing the database and retrieving data;
A database access management system comprising: the database server device including the security box and the security master, and performing cooperative processing when accessing the database. A database access management method performed in a computer system that performs processing to access a database and retrieve data based on access from a user terminal,
The computer system includes a security box that realizes a processing function for managing and controlling access to the database by the user, and a security master that is setting information of the processing function of the security box,
In the processing of the security box,
Performing a process of setting information of the security master by an administrator;
When the user accesses the database, referring to the access information and the security master information , depending on the state including the reference restriction of the user and the data usage or user attribute of the user Performing a process of determining and confirming a mask process of a rule to be applied ;
The data retrieved from the database by the access by the user is subjected to a predetermined mask process of the mask process of each of a plurality of rules according to the state including the reference restriction of the user, and the mask process is performed. And a step of performing processing for returning data,
The security master setting information includes, as information for specifying the reference restriction target data in the data of the database for each user or user attribute and the mask process applied to the target data , the user or user attribute information, Information on the presence or absence of the reference restriction for each user or user attribute, information on the database and items subject to the reference restriction, mask processing of each of a plurality of rules, and information on the database subject to the reference restriction Information specifying a mask process to be applied to an item, and a plurality of data use applications or user attributes related to the mask process of each of the plurality of rules, and system development as the user attributes Multiple test processes for system development as the data usage Including a mask process of a rule to be applied to the test process, the contents of the mask process include information specifying a mask position in the area of the restriction target item, information specifying a character after masking Including,
According to the above configuration, the masked data is automatically used when the user uses the data in the database. A database access management program executed in a computer system that performs processing for accessing a database and retrieving data based on access from a user terminal,
The computer system includes a security box that realizes a processing function for managing and controlling access to the database by the user, and a security master that is setting information of the processing function of the security box,
In the program for realizing the processing of the security box,
A program for executing processing for setting information of the security master by an administrator;
When the user accesses the database, referring to the access information and the security master information , depending on the state including the reference restriction of the user and the data usage or user attribute of the user A program for determining and confirming the mask processing of the rule to be applied ;
The data retrieved from the database by the access by the user is subjected to a predetermined mask process of the mask process of each of a plurality of rules according to the state including the reference restriction of the user, and the mask process is performed. A program for performing processing to return data,
The security master setting information includes, as information for specifying the reference restriction target data in the data of the database for each user or user attribute and the mask process applied to the target data , the user or user attribute information, Information on the presence or absence of the reference restriction for each user or user attribute, information on the database and items subject to the reference restriction, mask processing of each of a plurality of rules, and information on the database subject to the reference restriction Information specifying a mask process to be applied to an item, and a plurality of data use applications or user attributes related to the mask process of each of the plurality of rules, and system development as the user attributes Multiple test processes for system development as the data usage Including a mask process of a rule to be applied to the test process, the contents of the mask process include information specifying a mask position in the area of the restriction target item, information specifying a character after masking Including,
The database access management program according to the above configuration, wherein the masked data is automatically used when the user uses the data of the database.

Images