JP5740260B2 - Security policy management server, security monitoring system - Google Patents

Description

  The present invention relates to a technique for managing a security monitoring policy of a security monitoring program for monitoring access to an electronic file.

  Electronic files handled by companies (hereinafter sometimes referred to as files) have different levels of importance depending on the contents. Enterprises create and operate security operation rules such as handling of files according to importance and whether or not they can be taken out. However, although there are rules, there are many cases where the operation is actually troublesome and not used.

  Patent Document 1 below discloses a technique for simply evaluating the importance of a document. In this document, the importance level of a document is determined based on whether or not a title name given to the document also includes a predetermined keyword.

JP 2007-179130 A

  In the technique described in Patent Document 1, the importance level of an electronic file can be easily determined. However, a system administrator or the like manually performs an operation for setting access permission according to the importance level. There is a need. In particular, when the access to a file is monitored by a security monitoring program, it is necessary to set a security policy in advance, but it is necessary to perform a separate task to reflect the importance of each file in the security policy. It is a burden for the person.

  The present invention has been made to solve the above-described problems, and an object of the present invention is to provide a technique capable of automatically setting a security policy of a security monitoring program according to the importance of a file. And

  The security policy management server according to the present invention includes a file classification unit that determines the importance of an electronic file, and operation definition data that defines whether or not an electronic file can be accessed for each importance of the file. When the security policy management server receives an inquiry about access permission from the security monitoring program, the security policy management server answers access permission according to the action definition data and file importance.

  The security policy management server according to the present invention holds an access permission definition corresponding to the importance of a file, and can provide this to the security monitoring program as a security policy. As a result, the system administrator can consolidate the process for managing the correspondence between the importance of the file and the accessibility to the security policy management server, so that the system administrator can be released from the work load.

1 is a configuration diagram of a security monitoring system 1000 according to Embodiment 1. FIG. It is a figure which shows the structure and data example of the importance classification table 131. FIG. It is a figure which shows the structure and data row | line | column of the importance level change rule definition table. It is a figure which shows the structure and example of data of the action definition table 133. It is a figure which shows the structure and example of data of the importance level definition table. It is a figure which shows the processing sequence when the client terminal 300 accesses the file which is not classified according to importance. It is a figure which shows the processing sequence when the client terminal 300 accesses the file classified according to importance. It is a block diagram of the security monitoring system 1000 which concerns on Embodiment 2. FIG. It is an example of a screen image of a folder importance level display screen 321 displayed by the client terminal 300. It is an example of a screen image of a file property display screen 322 displayed by the client terminal 300. It is an example of a screen image of an importance change screen 331 displayed by the client terminal 300. 3 is a diagram illustrating a configuration example of a folder importance level definition file 141 held by the security policy management server 100. FIG. 3 is a diagram illustrating a configuration example of a file name importance definition file 142 held by the security policy management server 100. FIG. 6 is a diagram illustrating a configuration example of an extension importance definition file 143 held by the security policy management server 100. FIG. 5 is a diagram illustrating a configuration example of a keyword importance definition file 144 held by the security policy management server 100. FIG. The example which recorded the keyword which the keyword field 1442 hold | maintains in another file is shown. FIG. 10 is a configuration diagram of a security monitoring system 1000 according to an eighth embodiment. It is a block diagram of the security monitoring system 1000 which concerns on Embodiment 9. FIG. It is a figure which shows the example of a display of the classification result screen 151 which the classification status display program 150 produces | generates. It is a figure which shows an example of the proposal report for the operation improvement which the operation condition analysis program 170 shows. It is a figure which shows another example of the proposal report for the operation improvement which the operation condition analysis program 170 shows. It is a figure which shows the structure and data example of the report reference | standard table 173 used when the operation condition analysis program 170 produces | generates a proposal report. It is a figure which shows the structure and example of data of the action reference | standard table 174 used when the operation condition analysis program 170 updates a security policy automatically. It is a figure which shows an example of the threshold value table 154 used when the classification condition display program 150 judges whether the distribution situation of the importance of a file is appropriate.

<Embodiment 1>
FIG. 1 is a configuration diagram of a security monitoring system 1000 according to the first embodiment of the present invention. The security monitoring system 1000 is a system that monitors access to an electronic file, and includes a security policy management server 100, a file importance management server 200, a client terminal 300, and a file server 400. These devices are connected by a network.

  In the following description, for convenience of description, each program may be described as an operation subject. However, it is added that the actual execution of each program is an arithmetic device such as a processor provided in a device equipped with each program. .

  The security policy management server 100 is a server device that manages a security monitoring policy that defines the operation of a security monitoring program that monitors access to an electronic file, and includes a file classification program 110, a security monitoring control program 120, and a storage device 130. In addition, a processor, a memory device, a network interface, and the like that execute the above programs are provided as appropriate.

  The file classification program 110 is a program that determines the importance level of the electronic file accessed by the client terminal 300 and classifies the file for each importance level. The file classification program 110 stores the classification result in the file importance management server 200 described later. Any known method can be used as a method for determining the importance of the electronic file, but it will be exemplified separately in an embodiment described later.

  The security monitoring control program 120 receives an inquiry from the security monitoring program 310 (to be described later) as to whether or not to permit access to the electronic file, and determines whether the access is permitted according to the importance of the electronic file and the description of the operation definition table 133 (to be described later). To answer. As a communication procedure between the client terminal 300 and the security monitoring control program 120, a general-purpose communication protocol such as HTTP (Hyper Text Transfer Protocol) can be used. For example, a communication procedure according to SOAP (Simple Object Access Protocol) can be used.

  The storage device 130 is configured using, for example, a hard disk device or the like, and stores an importance level classification table 131, an importance level change rule definition table 132, and an operation definition table 133. Details of these tables will be described with reference to FIGS.

  The file importance management server 200 is a server device that manages the importance of electronic files stored in the file server 400 and includes a storage device 210. The storage device 210 stores an importance level definition table 211 described later with reference to FIG.

  The client terminal 300 is a computer that accesses an electronic file stored in the file server 400, and a security monitoring program 310 is installed in advance. The client terminal 300 always executes the security monitoring program 310. The security monitoring program 310 detects that the client terminal 300 is trying to access an electronic file, inquires of the security policy management server 100 whether access is possible, and controls access to the electronic file according to the answer.

  The file server 400 is a server device that stores an electronic file accessed by the client terminal 300. In the following, access monitoring for an electronic file stored in the client terminal 300 itself will not be described. However, when performing this, the file full path name stored in the file server 400 is used as the local file path name of the client terminal 300. If changed, the same operation can be performed.

  The file classification program 110, the security monitoring control program 120, and the security monitoring program 310 are assumed to be software here, but functions equivalent to these can also be realized by hardware such as a circuit device.

  FIG. 2 is a diagram illustrating a configuration of the importance level classification table 131 and data examples. The importance level classification table 131 is a data table describing the importance level classification and description of the electronic file, and includes an importance level classification field 1311 and an importance level description field 1312.

  The importance category field 1311 holds the name of the importance category of the electronic file. Here, three levels of importance classification are illustrated, but the present invention is not limited to this. The importance level explanation field 1312 holds an explanation of the importance level category described in the importance level category field 1311. When a system administrator or the like manages this table, the explanation in this field can be referred to.

  FIG. 3 is a diagram showing the configuration and data string of the importance level change rule definition table 132. The importance level change rule definition table 132 is a data table that defines a rule for determining whether or not to change the importance level of an electronic file, and includes an importance level field 1321 and an importance level change rule field 1322.

  The importance level field 1321 holds the name of the importance level of the electronic file. This field corresponds to the importance category field 1311 of the importance category table 131. The importance level change rule field 1322 changes the electronic file classified in the importance level described in the importance level field 1311 to a higher importance level or to a lower importance level. The rule of whether or not to admit is described. When a system administrator or the like manages this table, the rule set in this field can be referred to.

  In the data example of FIG. 3, the importance level “low” electronic file cannot be further reduced in importance, and the importance level “medium” electronic file is only allowed to increase in importance. A “high” electronic file indicates that the importance cannot be increased any further.

  FIG. 4 is a diagram illustrating a configuration of the operation definition table 133 and data examples. The action definition table 133 is a data table that defines whether or not the security monitoring program 310 permits access to the electronic files classified into the respective importance levels. This table has a role as a security policy that defines the operation of the security monitoring program 310. The operation definition table 133 has an importance level field 1331 and an access permission / inhibition field 1332.

  The importance category field 1331 holds the name of the importance category of the electronic file. This field corresponds to the importance category field 1311 of the importance category table 131. The accessibility field 1332 describes how the security monitoring program 310 behaves when the client terminal 300 accesses an electronic file classified in the importance category described in the importance category field 1311. ing. Here, it is exemplified whether or not the electronic file is permitted to be taken out of the file server 400, but other operations and more detailed accessibility can be described. For example, an example in which copying and moving to an external disk drive is prohibited can be considered.

  FIG. 5 is a diagram illustrating a configuration of the importance level definition table 211 and data examples. The importance definition table 211 is a data table that defines the importance of an electronic file stored in the file server 400, and includes a file name field 2111, a file path field 2112, and an importance field 2113.

  The file name field 2111 and the file path field 2112 hold the file name and full path name of the electronic file stored in the file server 400, respectively. The importance field 2113 holds the importance value of the electronic file specified by the file name field 2111 and the file path field 2112.

  FIG. 6 is a diagram illustrating a processing sequence when the client terminal 300 accesses a file that is not classified according to importance. When the client terminal 300 accesses a file that is not classified for each importance level for the first time, it is necessary to perform a process for determining the importance level. Hereinafter, each step of FIG. 6 will be described.

(Figure 6: (1) Access to folder)
The user of the client terminal 300 instructs to access a file folder on the file server 400 by operating an appropriate file browser or the like. The client terminal 300 accesses the file folder according to the instruction.

(Figure 6: (2) Notify full path)
The security monitoring program 310 of the client terminal 300 acquires the electronic file list in the file folder accessed in step (1), and notifies the security policy management server 100 of the full path name of each electronic file. The full path name notified here is a concatenation of the path name of the file folder and the file name, such as “\\ testsv \ test \ test.txt”.

(Figure 6: (3) Classify files)
The security monitoring control program 120 of the security policy management server 100 receives the full path name of the electronic file from the client terminal 300. The security policy management server 100 activates the file classification program 110, determines the importance of each electronic file, and classifies the files by importance.

(Figure 6: (4) Store the classification results)
The file classification program 110 notifies the file importance management server 200 of the classification result of step (3) together with the full path name. The file importance management server 200 stores the classification result of each electronic file in the importance definition table 211. As a result of this step, an importance definition record as illustrated in FIG. 5 is created for each electronic file on the file server 400, and each electronic file and its importance are managed.

  FIG. 7 is a diagram illustrating a processing sequence when the client terminal 300 accesses a file classified by importance. When the client terminal 300 accesses a file classified by importance, it is necessary to determine whether or not to permit the access. Hereinafter, each step of FIG. 7 will be described.

(Figure 7: (1) Try to bring out a file)
Assume that the user of the client terminal 300 is operating an appropriate file browser or the like to take out an electronic file on the file server 400 to the outside of the file server 400 or the client terminal 300. Here, it is assumed that an electronic file is to be copied to a storage device externally attached to the client terminal 300. The security monitoring program 310 detects an operation to copy an electronic file by monitoring an operation input to the file browser.

(Figure 7: (2) Inquiries about availability)
The security monitoring program 310 determines whether or not file operation access (copying to an external storage device in this case) should be permitted for the electronic file detected to be taken outside in step (1). Queries the server 100.

(Figure 7: (3) Obtain importance)
When the security monitoring control program 120 of the security policy management server 100 receives an inquiry from the client terminal 300 about whether access is possible, the importance level of the electronic file is determined from the importance level definition table 211 held by the file importance level management server 200. get.

(FIG. 7: (4) Judgment of availability)
The security monitoring control program 120 inquires the operation definition table 133 using the importance of the electronic file acquired in step (3), and acquires the access permission definition for the electronic file of that importance. For example, in the data example shown in FIG. 4, since it is defined that electronic files of medium importance or higher are prohibited from being taken out, copying to an external storage device is prohibited.

(Figure 7: Answer (5) Yes / No)
The security monitoring control program 120 replies to the client terminal 300 whether or not the electronic file that has received the inquiry in step (2) is accessible based on the access permission definition acquired in step (4).

(Figure 7: (6) Controlling access)
The security monitoring program 310 of the client terminal 300 controls access to the electronic file whose file operation access is detected in step (1) based on the answer received in step (5). For example, when access is prohibited, a message to that effect is displayed on the screen and access is blocked. Other control operations such as permitting access but recording the contents of file operation access in a log are also conceivable.

<Embodiment 1: Summary>
As described above, the security policy management server 100 according to the first embodiment determines the importance of the electronic file and classifies it according to the importance, and determines whether the security monitoring program should permit access to the electronic file. Define every degree. As a result, the process of classifying the electronic file according to the importance and the process of setting the accessibility according to the importance can be integrated into the security policy management server 100 to be automated. The burden can be reduced.

  Also, the security policy management server 100 according to the first embodiment holds the security policy of the security monitoring program 310 separately from the security monitoring program 310 main body in the form of the action definition table 133. As a result, the security policy can be centrally managed without depending on the type of the security monitoring program 310. For example, such a security monitoring program 310 can be employed when printing control is desired, and a security monitoring program 310 having such a function can be employed when mail transmission control is desired. Other security monitoring programs 310 can be similarly controlled.

  The security policy management server 100 according to the first embodiment can use a communication protocol conforming to HTTP as a communication interface with the client terminal 300. Since HTTP is a general-purpose protocol often used for communication between a client and a server, many security monitoring programs 310 support it. In other words, it is possible to deal with a wide variety of security monitoring programs 310, so that the dependency on the individual security monitoring programs 310 can be relaxed and the versatility of the security policy management server 100 can be enhanced.

<Embodiment 2>
In the second embodiment of the present invention, a configuration will be described in which the importance given by the file classification program 110 described in the first embodiment is displayed on the screen of the client terminal 300 so that the user can confirm it. Since the configuration is the same as that of the first embodiment except for the configuration related to the process of displaying or updating the importance level of the file on the client terminal 300, the following description focuses on the differences.

  FIG. 8 is a configuration diagram of the security monitoring system 1000 according to the second embodiment. In the second embodiment, the client terminal 300 includes an importance level display program 320 and an importance level change program 330 in addition to the configuration described in the first embodiment. Functions equivalent to these programs may be realized by hardware such as a circuit device.

  The importance display program 320 displays the importance of the electronic file accessed by the client terminal 300 on the screen. Details will be described later with reference to FIGS. The importance level changing program 330 receives an operation input for changing the importance level of the electronic file and notifies the file importance level management server 200 via the security policy management server 100. Details will be described later with reference to FIG.

  FIG. 9 is a screen image example of the folder importance level display screen 321 displayed by the client terminal 300. The folder importance level display screen 321 is a screen for displaying a list of electronic files stored in the file folder and their importance levels. The operation procedure when displaying the screen of FIG. 9 will be described below.

(FIG. 9: Operation procedure step 1)
A user of the client terminal 300 accesses a folder on the file server 400 via an appropriate file browser. The importance level display program 320 transfers the path name of the accessed file folder to the security policy management server 100.

(FIG. 9: Operation procedure step 2)
Upon receiving the folder path name from the client terminal 300, the security monitoring control program 120 of the security policy management server 100 notifies the file importance management server 200 of the path name.

(FIG. 9: Operation procedure step 3)
The file importance management server 200 searches the importance definition table 211 based on the path name of the received folder, acquires a list of files and importance levels that match the path name, and returns the list to the security policy management server 100.

(FIG. 9: Operation procedure step 4)
The security policy management server 100 returns the list of files and importance received from the file importance management server 200 to the client terminal 300.

(FIG. 9: Operation procedure step 5)
The importance display program 320 of the client terminal 300 receives a list of files and importance from the security policy management server 100 and passes the list to the file browser that accessed the file server 400 in step 1. The file browser displays the received file and importance list in the file display field 3211 and importance display field 3212 of FIG.

(Figure 9: Operation procedure Step 5: Supplement)
For example, when the client terminal 300 accesses the “\\ testsv \ test” folder on the file server 400 and the “\ .testsv \ test” folder has a file “test.txt” having a high importance level, The folder importance level display screen 321 displays a file name “test.txt” and its importance level “high”.

  FIG. 10 is a screen image example of the file property display screen 322 displayed by the client terminal 300. The file importance display screen 322 is a screen that displays the importance of the electronic file and its explanatory text. Hereinafter, an operation procedure when the screen of FIG. 10 is displayed will be described.

(FIG. 10: Operation procedure step 1)
The user of the client terminal 300 displays the file property display screen 322 of the electronic file on the file browser. At this point, it is assumed that the list of files and importance levels has already been acquired by the procedure described with reference to FIG. The importance level display program 320 inquires the security policy management server 100 about the explanation corresponding to the importance level of the file and whether the file can be accessed.

(FIG. 10: Operation procedure step 2)
The security monitoring control program 120 of the security policy management server 100 acquires from the importance level classification table 131 the explanatory text of the importance level received from the client terminal 300. Also, an access permission definition is acquired from the action definition table 133. The security monitoring control program 120 returns the value acquired from each table to the client terminal 300.

(FIG. 10: Operation procedure step 3)
The importance display program 320 of the client terminal 300 receives the explanatory text and the access permission definition from the security policy management server 100, and passes the list to the file browser that displayed the file properties in step 1. The file browser displays the received explanatory text in the importance level explanation display field 3222 and displays the access permission definition in the access permission display field 3223. As the value in the importance level display field 3221, the value already acquired is displayed as it is.

(FIG. 10: Operation procedure Steps 1-3: Supplement)
In the above description, the explanation corresponding to the importance is obtained from the security policy management server 100. However, since the content of the explanation is often fixed, the client terminal 300 or the file browser is not used. At the time of activation, all explanations may be acquired from the security policy management server 100 in advance. In this case, the importance level display program 320 acquires the explanatory text when the client terminal 300 or the file browser is activated, and stores it in the memory of the client terminal 300. When the file browser displays the file property display screen 322, it acquires the explanatory text on the memory and displays it on the screen.

  FIG. 11 is a screen image example of the importance level change screen 331 displayed by the client terminal 300. The importance level change screen 331 is a screen for inputting a change instruction for changing the importance level and description of the electronic file. Hereinafter, an operation procedure related to the screen of FIG. 11 will be described.

(FIG. 11: Operation procedure step 1)
The user of the client terminal 300 selects an electronic file on the file browser and instructs the importance level change screen 331 to be displayed. At this point, it is assumed that the list of files and importance levels has already been acquired by the procedure described with reference to FIG. The importance level changing program 330 obtains the explanation text of the importance level and the accessibility definition in the same procedure as the importance level display program 320. Further, the importance level change rule definition table 132 is acquired in the same procedure, and it is grasped whether or not it is permitted to change the importance level.

(FIG. 11: Operation procedure step 2)
The importance level changing program 330 displays the file selected in step 1, the change instruction message, the importance level of the file, and the accessibility definition in display fields 3311, 3312, 3313, and 3316, respectively. The importance level change column 3314 is a column for changing and inputting the importance level of the currently selected file. The importance level changing program 330 displays the importance level explanatory text in the explanatory text input field 3315. In this field, the importance level explanatory text can be changed and input.

(FIG. 11: Operation procedure step 3)
The user inputs change contents in the importance level input field 3314 and the explanatory text input field 3316 and clicks the change button 3317. The importance level changing program 330 notifies the security policy management server 100 of the input contents and file full path name in each column.

(FIG. 11: Operation procedure Step 3: Supplement)
If the importance level of the file selected in step 1 is not changeable according to the definition of the importance level change rule definition table 132, the importance level changing program 330 deactivates the change button 3317 so that it cannot be pressed. Further, this may be displayed in the display field 3312.

(FIG. 11: Operation procedure step 4)
The security policy management server 100 updates the value of the corresponding importance level explanation field 1312 with the input contents of the explanatory text input field 3316 received from the client terminal 300. Also, the input contents of the importance input field 3314 received from the client terminal 300 are transferred to the file importance management server 200 together with the full path name.

(FIG. 11: Operation procedure step 5)
The file importance management server 200 changes the record held in the importance management table 210 that matches the full path name received from the security policy management server 100 with the content of the received description input field 3316. .

(FIG. 11: Operation procedure steps 1 to 5: supplement)
The definition content of the importance level change rule definition table 132 may be acquired from the security policy management server 100 in advance when the client terminal 300 or the file browser is activated. In this case, the importance level changing program 330 acquires the same table when the client terminal 300 or the file browser is activated, and stores it in the memory of the client terminal 300. When the file browser displays the importance level change screen 331, the file browser acquires the same table on the memory and adjusts the change button 3317 and the display field 3312 as necessary.

<Embodiment 2: Summary>
As described above, in the security monitoring system 1000 according to the second embodiment, the client terminal 300 acquires the definition content of the importance level definition table 211 and displays it on the screen together with the file list or the file property. Thereby, since the user can grasp the importance level before accessing the file operation for each electronic file, the security awareness can be raised.

  In the security monitoring system 1000 according to the second embodiment, the client terminal 300 acquires the definition content of the operation definition table 133 and displays it on the screen together with the file list or file property. As a result, the user can grasp the access control performed by the security monitoring program 310 for each electronic file, so that security awareness can be raised. Moreover, the effect which suppresses operation which is prohibited carelessly can also be anticipated.

  In the security monitoring system 1000 according to the second embodiment, the client terminal 300 displays the importance change screen 331 and provides a function of changing the importance and description of each file. Thereby, even when the classification carried out by the file classification program 110 is not complete, the user can give the importance degree accurately by himself / herself.

<Embodiment 3>
In the third embodiment of the present invention, a method for determining the importance of a file by the file classification program 110 described in the first embodiment will be described. Other configurations are the same as those in the first and second embodiments.

  FIG. 12 is a diagram illustrating a configuration example of the folder importance level definition file 141 held by the security policy management server 100. The folder importance definition 141 is a data file that defines the correspondence between a file folder and its importance, and has an importance field 1411 and a folder path field 1412.

  The importance field 1411 holds the name of the importance classification of the electronic file. This field corresponds to the importance category field 1311 of the importance category table 131. The folder path field 1412 holds the path name of the file folder that the file server 400 has.

  When the folder path accessed by the client terminal 300 matches the folder path field 1412 described in the folder importance level definition file 141 or a folder under the folder path, the file classification program 110 sets the value of the corresponding importance level field 1411. Give it to the electronic file.

  In the data example of FIG. 12, it is described that a file stored in a folder under “\\ testsv \ test” is given importance “high”. When the client terminal 300 accesses “\\ testsv \ test \ test” on the file server 400, the file classification program 110 assigns importance “high” to the file stored in the same folder.

<Embodiment 4>
In the fourth embodiment of the present invention, one method in which the file classification program 110 described in the first embodiment determines the importance of a file will be described. Other configurations are the same as those in the first to third embodiments.

  FIG. 13 is a diagram showing a configuration example of the file name importance definition file 142 held by the security policy management server 100. The file name importance definition file 142 is a data file that defines the correspondence between the importance of a file and a keyword included in the file name, and includes an importance field 1421 and a file name keyword field 1422.

  The importance field 1421 holds the name of the importance classification of the electronic file. This field corresponds to the importance category field 1311 of the importance category table 131. The file name keyword field 1422 holds a keyword that can be included in the file name and serves as a criterion for determining the file importance.

  When any of the keywords held in the file name keyword field 1422 is included in the file name of the file accessed by the client terminal 300, the file classification program 110 sets the value of the corresponding importance field 1421 to the electronic file. Give.

  In the data example of FIG. 13, it is described that a file having “confidential” in the file name is given importance “high”. If the file name of the file accessed by the client terminal 300 is “confidential file.txt”, the file classification program 110 assigns the importance “high” to the file.

<Embodiment 5>
In the fifth embodiment of the present invention, one method in which the file classification program 110 described in the first embodiment determines the importance of a file will be described. Other configurations are the same as those in the first to fourth embodiments.

  FIG. 14 is a diagram illustrating a configuration example of the extension importance level definition file 143 held by the security policy management server 100. The extension importance definition file 143 is a data file that defines the correspondence between the importance of a file and the file extension, and has an importance field 1431 and an extension field 1432.

  The importance field 1431 holds the name of the importance classification of the electronic file. This field corresponds to the importance category field 1311 of the importance category table 131. The extension field 1432 holds a file extension that serves as a reference for determining file importance.

  If the file extension accessed by the client terminal 300 matches the extension field 1432, the file classification program 110 gives the value of the corresponding importance field 1431 to the electronic file.

  In the data example of FIG. 14, it is described that a file having a file extension of “.doc” is given importance “high”. When the file accessed by the client terminal 300 has the file name “test.doc”, the file classification program 110 gives the importance “high” to the file.

<Embodiment 6>
In the sixth embodiment of the present invention, one method in which the file classification program 110 described in the first embodiment determines the importance of a file will be described. Other configurations are the same as those of the first to fifth embodiments.

  FIG. 15 is a diagram showing a configuration example of the keyword importance definition file 144 held by the security policy management server 100. The keyword importance definition file 144 is a data file that defines the correspondence between the importance of the file and the keywords recorded in the file, and includes an importance field 1441 and a keyword field 1442.

  The importance field 1441 holds the name of the importance classification of the electronic file. This field corresponds to the importance category field 1311 of the importance category table 131. The keyword field 1442 holds keywords that can be recorded in the file and serve as criteria for determining the file importance.

  If any of the keywords held in the keyword field 1442 is included in the file accessed by the client terminal 300, the file classification program 110 gives the value of the corresponding importance field 1441 to the electronic file.

  In the data example of FIG. 15, when the keyword “Ichiro Suzuki” is recorded in the file accessed by the client terminal 300, the file classification program 110 gives the file “high” importance.

  FIG. 16 shows an example in which the keywords held in the keyword field 1442 are recorded in another file. In the example shown in the figure, the keyword importance definition file 144 has a keyword file name field 1443 instead of the keyword field 1442. The keyword file name field 1443 holds a file name in which a keyword corresponding to the keyword field 1442 is recorded.

  When any one of the keywords recorded in the file specified by the keyword file name field 1443 is included in the file accessed by the client terminal 300, the file classification program 110 stores the corresponding importance level field 1441. Assign a value to the electronic file.

  In the data example of FIG. 16, when the keyword held in “name.txt” is recorded in the file accessed by the client terminal 300, the file classification program 110 assigns the importance “high” to the file. .

  In FIGS. 15 to 16, a specific importance level is assigned to a specific keyword or a keyword included in a specified file. For example, if a keyword has a large number of occurrences, a high importance level is assigned. The importance may be determined dynamically according to the number.

<Embodiment 7>
The methods described in the third to sixth embodiments can be arbitrarily combined. For example, for a file stored in a folder that is not described in the folder importance definition file 141, a complementary usage method in which the importance is determined according to the definition of the file name importance definition file 142 may be considered.

<Eighth embodiment>
FIG. 17 is a configuration diagram of a security monitoring system 1000 according to the eighth embodiment of the present invention. In the eighth embodiment, a gateway device 500 is disposed between the client terminal 300 and the file server 400. Other configurations are the same as those of the first to seventh embodiments. Here, the configuration corresponding to FIG. 1 of the first embodiment is illustrated.

  When the client terminal 300 accesses the file server 400, the gateway device 500 detects the access instead of or in parallel with the security monitoring program 310. This corresponds to the gateway device 500 performing the processing of these steps in step (1) of FIG. 6 and step (1) of FIG. The subsequent steps may be performed by the security monitoring program 310, or may be performed as far as possible by the gateway device 500.

  In the eighth embodiment, the client terminal 300 cannot access the file server 400 without going through the gateway device 500. Therefore, even when the security monitoring program 310 cannot detect the file operation access, the access to the file server 400 can be reliably detected.

<Embodiment 9>
When the security monitoring system 100 described in the first to eighth embodiments is actually started, there may be a case where it becomes clear that the importance level change rule determined at the time of system introduction is insufficient. In addition, there is a possibility that the importance level change rule set at the time of introducing the system becomes obsolete due to the change of the internal rules. Therefore, it is considered necessary to continually revise the monitoring rules. In particular, it is necessary to monitor and improve the classification status of file importance and the access status according to the security policy. However, the work of continuously performing these monitoring and improvement is heavy for the administrator.

  Therefore, Embodiment 9 of the present invention provides a technique for automatically analyzing the operation status according to the importance level of a file and the security policy, and assisting in improving the security policy.

  FIG. 18 is a configuration diagram of a security monitoring system 1000 according to the ninth embodiment. In the ninth embodiment, the security policy management server 100 includes a classification status display program 150, a log recording program 160, and an operation status analysis program 170 in addition to the configurations described in the first to eighth embodiments. Other configurations are the same as those in the first to eighth embodiments.

  The classification status display program 150 visually displays the result of classifying each electronic file stored in the file importance management server 200 according to the importance by a method illustrated in FIG. 19 described later. Further, whether or not the classification is appropriately distributed is displayed to the user according to the threshold illustrated in FIG. 24 described later.

  The log recording program 160 records the access from the security monitoring program 310 to the file importance management server 200 and the access permission result determined by the security monitoring control program 120. For example, when the security monitoring program 310 detects file access, the security policy management server 100 is inquired to determine whether the access is possible. The log recording program 160 displays the access permission result determined by the security monitoring control program 120 at that time. Record. The file classification program 110 records the result of classifying the file. Furthermore, the access status to the importance level classification table 131, the important word change rule definition table 132, and the action definition table 133 is also recorded.

  The operation status analysis program 170 analyzes the classification status of each electronic file stored in the file importance management server 200 and the access record recorded by the log recording program 160, and performs operation improvement as shown in FIG. Output a proposal report for For example, if the classification status is too biased to a specific importance level, a warning is given that the definition in the importance level definition table 211 does not conform to the current situation. In addition, a warning is displayed when the importance of a file that is frequently accessed for taking out is high, or when an approval act is too concentrated on a specific manager.

  FIG. 19 is a diagram showing a display example of the classification result screen 151 generated by the classification status display program 150. The classification result screen 151 displays a graph 152 that visually indicates the classification status and the number of files 153 for each importance level. Thereby, the administrator can grasp the current classification status.

  FIG. 20 is a diagram illustrating an example of a proposal report for operational improvement presented by the operational status analysis program 170. Here, the report file 171 generated in the text file format is illustrated.

  In the report file 171, a report is described for each line, and the first line is a header line. The items in one line are “file name” to be proposed, classified “importance”, “period” totaling access to the target file, “number of times” indicating access within the period, “suggestion” for the target file ".

  The example illustrated in FIG. 20 indicates that the file “test2.txt” has been accessed 100 times per week. According to the operation definition table 133 illustrated in FIG. 4, the accessibility of the importance “medium” is “prohibited to take out”, and therefore the accessibility of this file should be “prohibited to take out”. However, in view of the fact that a large amount of access has occurred to this file, it is considered more appropriate that the access permission for this file is “permission allowed”. Based on the contents of the report file 171, the administrator can determine again the appropriate access permission definition for this file.

  FIG. 21 is a diagram showing another example of a proposal report for operational improvement presented by the operational status analysis program 170. Here, the report file 172 generated in the text file format is illustrated.

  In the example shown in FIG. 21, the file “test.txt” is accessed 100 times per week. According to the operation definition table 133 illustrated in FIG. 4, the access permission with the importance “high” is “prohibition to take out”. The number of accesses is the same as in the example of FIG. 20, but since the importance of this file is “high”, it is rather a problem that there are too many accesses unlike FIG. Therefore, it is considered appropriate to restrict access to this file. Based on the contents of the report file 172, the administrator can determine again the appropriate access permission definition for this file.

  FIG. 22 is a diagram showing a configuration and data example of the report reference table 173 used when the operation status analysis program 170 generates a proposal report. The report reference table 173 is a data table that defines the proposal content in the proposal report presented by the operation status analysis program 170, and includes an importance field 1731, an accessibility field 1732, an action field 1733, and a report field 1734.

  The importance field 1731 and the accessibility field 1732 hold the importance level and accessibility of the electronic file defined by the operation definition table 133. A report field 1734 is a suggestion to be presented in the proposal report when an action specified by the action field 1733 occurs for a file having the importance and accessability specified by the importance field 1731 and the accessibility field 1732. Keep the contents.

  In the data example of the first line shown in FIG. 22, when 100 or more accesses occur in a week for a file of importance “high” and accessibility “prohibited to carry out”, message 1 is presented as a proposal. It is defined what should be done. This corresponds to the contents of the report file 172 shown in FIG. Similarly, the data example on the second line corresponds to the contents of the report file 171 shown in FIG.

  As shown in FIG. 19, by providing an operation status report corresponding to the importance security policy of a file, an effect of promoting operation improvement can be expected. Moreover, based on the data obtained when creating this operation status report, a proposal report as illustrated in FIGS. 20 to 22 can be presented to suggest specific improvements.

  Furthermore, it is conceivable to automatically reflect a security policy corresponding to the proposed content in addition to presenting the proposed content as illustrated in FIGS. In this case, a security policy corresponding to the contents of the report field 1734 may be created in advance, and this may be reflected at the same timing as when the operation status analysis program 170 generates a proposal report. A configuration example for this purpose will be described below.

  FIG. 23 is a diagram showing a configuration and data example of the action criterion table 174 used when the operation status analysis program 170 automatically updates the security policy. The action criteria table 174 is a data table that defines the update contents when the operation status analysis program 170 automatically updates the security policy, and includes an importance field 1741, an accessibility field 1742, an action field 1743, and an automatic change field 1744. .

  The importance field 1741, the accessibility field 1742, and the action field 1743 are the same as the importance field 1731, the accessibility field 1732, and the action field 1733 of the report reference table 173, respectively. An automatic change field 1744 is an update to be reflected in the security policy when an action specified by the action field 1743 occurs for a file having the importance and access permission specified by the importance field 1741 and the access permission / prohibition field 1742. Keep the contents.

  In the data example of the second row shown in FIG. 23, when access is performed 100 times or more per week for a file with importance “medium” and access permission “prohibition to carry out”, the access permission of the file is indicated as “ It is defined that it should be changed to “take-out permission”. This corresponds to the contents of the report file 171 shown in FIG. In FIG. 20, the proposed content is only presented, but according to this data example, the same content can be directly reflected on the security policy.

  FIG. 24 is a diagram showing an example of the threshold value table 154 used when the classification status display program 150 determines whether or not the distribution status of the importance level of the file is appropriate. The threshold table 154 defines a correspondence relationship between the importance 1541 and the threshold 1542. In the example shown in FIG. 24, it is defined that when the number of files of “low” importance exceeds 15% of the total number of files, a warning display or the like should be notified to the user. For example, the importance “low” may be displayed in red on the graph 152 of the classification result screen 151.

<Embodiment 9: Summary>
As described above, the security policy management server 100 according to the ninth embodiment analyzes the classification status of the file importance and presents the classification status in a form that is easy for the administrator to grasp. As a result, the administrator can visually grasp the classification status of the file importance and use it as an opportunity to improve the operational status of the security policy.

  Also, the security policy management server 100 according to the ninth embodiment analyzes whether or not the correspondence between the access status to the file and the file importance is appropriate, and if the security policy should be improved, a proposal to that effect Present a report. As a result, it is possible to reduce the work burden for the system administrator to review the security policy.

  In addition, the security policy management server 100 according to the ninth embodiment can automatically reflect the same content on the security policy instead of presenting the proposal report. As a result, the work burden for the system administrator to review the security policy can be further reduced.

  In the security policy management server 100 according to the ninth embodiment, the log recording program 160 manages log data separately from other programs. As a result, the effect of facilitating cooperation with other log management products can be expected.

  100: Security policy management server 110: File classification program 120: Security monitoring control program 130: Storage device 131: Importance category table 1311: Importance category field 1312: Importance description field 132: Importance Change rule definition table, 1321: Importance level field, 1322: Importance level change rule field, 133: Operation definition table, 1331: Importance level field, 1332: Accessibility field, 141: Folder importance level definition file, 1411: Important Degree field, 1412: Folder path field, 142: File name importance definition file, 1421: Importance field, 1422: File name keyword field, 143: Extension importance definition file, 14 1: Importance field, 1432: Extension field, 144: Keyword importance definition file, 1441: Importance field, 1442: Keyword field, 1443: Keyword file name field, 150: Classification status display program, 151: Classification result screen , 152: Graph, 153: Number of files for each importance, 154: Threshold table, 1541: Importance name field, 1542: Threshold field, 160: Log recording program, 170: Operation status analysis program, 171: Report file, 172 : Report file, 173: Report criteria table, 1731: Importance field, 1732: Accessability field, 1733: Action field, 1734: Report field, 174: Action criteria table 1741: Importance field, 1742: Accessability field, 1743: Action field, 1744: Automatic change field, 200: File importance management server, 210: Storage device, 211: Importance definition table, 2111: File name field, 2112: File path field, 2113: Importance field, 300: Client terminal, 320: Importance display program, 321: Folder importance display screen, 3211: File display field, 3212: Importance display field, 322: File property display Screen, 3221: importance display field, 3222: importance explanation display field, 3223: access availability display field, 330: importance change program, 331: importance change screen, 3311, 3312, 3313, 3316: display field, 3314 : Importance change column, 3315: Explanation text input column, 3317: Change button, 400: File server, 500: Gateway device, 1000: Security monitoring system.

Claims (15)

A server device that manages a security monitoring policy that defines an operation of a security monitoring program that monitors access to an electronic file,
A file classification unit that determines the importance of an electronic file and classifies it according to its importance;
Action definition data defining, for each importance, whether the security monitoring program should allow access to the electronic file;
A security monitoring control unit that accepts an inquiry as to whether or not to permit access to the electronic file from a computer that executes the security monitoring program and answers whether or not the electronic file is accessible according to the importance of the electronic file and the definition of the operation definition data When,
An operational status analysis unit that analyzes a correspondence relationship between the access status of the electronic file and the importance of the electronic file, and creates a result report;
A reference table describing the correspondence between the importance of the electronic file, the access status to the electronic file, and the processing content to be implemented for the security monitoring policy for the electronic file;
With
The operational status analysis unit
It is configured to analyze a correspondence relationship between the access status to the electronic file and the importance of the electronic file, and obtain the processing content corresponding to the analysis result from the reference table and execute the processing. And
The reference table is
When the access frequency for the electronic file whose access status has been analyzed by the operation status analysis unit is equal to or higher than a predetermined access frequency threshold as the processing content, the electronic file whose importance is equal to or lower than a predetermined importance threshold Changes the access permission from external take-out prohibition to external take-out permit, and specifies that the access permission / inhibition is changed from external take-out permission to external take-out prohibition for the electronic file whose importance is greater than the importance threshold. If the access frequency for the electronic file whose access status is analyzed by the operation status analysis unit is equal to or higher than the access frequency threshold, the importance is described as the importance threshold. The following electronic files are accessible Whether prompted to change the electronic files access permission for the importance the important degree threshold than with changing external takeout prohibited outside takeout permission from the external takeout permission to the external take-out prohibiting updating of security monitoring policy Describes a message that suggests content,
The operational status analysis unit
The security policy management server, wherein the update content corresponding to the analysis result is reflected in the security monitoring policy or the message corresponding to the analysis result is presented. The security monitoring control unit uses a communication protocol using HTTP,
The security policy management server according to claim 1, wherein an inquiry about the operation definition data is received from a computer that executes the security monitoring program and is returned to the computer. The file classification unit
Read the folder importance definition data that defines the correspondence between the file folder storing the electronic file and the importance of the file folder;
The security policy management server according to claim 1 or 2, wherein the importance of the electronic file is determined according to the definition of the folder importance definition data. The file classification unit
Read the file name importance definition data that defines the correspondence between the file name of the electronic file and the importance of the keyword included in the file name;
The security policy management server according to any one of claims 1 to 3, wherein the importance of the electronic file is determined according to the definition of the file name importance definition data. The file classification unit
Read the extension importance definition data defining the correspondence between the extension of the electronic file and the importance of the extension,
The security policy management server according to any one of claims 1 to 4, wherein the importance of the electronic file is determined according to the definition of the extension importance definition data. The file classification unit
Read keyword importance definition data that defines the correspondence between the keywords recorded in the electronic file and the importance of the keywords,
The security policy management server according to claim 1, wherein the importance of the electronic file is determined according to the definition of the keyword importance definition data. The security policy management server according to claim 1, further comprising a file classification status display unit that analyzes a current status of the classification performed by the file classification unit and displays the contents thereof. . The security policy management server according to claim 7, wherein the file classification status display unit classifies the number of the electronic files for each importance and displays the graph. The security policy according to any one of claims 1 to 8, further comprising a log recording unit that records, as a log, that the file classification unit has performed the classification and an access status to the electronic file. Management server. The security policy management server according to any one of claims 1 to 9,
A file importance management server that holds importance definition data that defines the correspondence between the file path of the electronic file and the importance of the electronic file;
Have
The file classification unit
Notifying the file importance management server of the result of determining the importance together with the full path name of the electronic file,
The file importance management server
The security monitoring system, wherein the file classification unit receives a result of determining the importance and stores it in the importance definition data. Having a client computer to access the electronic file;
The client computer is
Obtain a list of electronic files in the file folder storing the electronic files,
The importance of each electronic file described in the file list defined by the importance definition data is acquired, and the importance of each electronic file is displayed on the screen together with the file list. The security monitoring system described. The client computer is
Obtain a list of electronic files in the file folder storing the electronic files,
Claim 11, characterized in that the operation definition data is defined, to obtain an access permission definition for each electronic files listed in the file list, the screen displays the accessibility to each electronic file together with the file list The security monitoring system described. The client computer is
An importance change screen for inputting a change instruction to change the importance defined by the importance definition data is displayed on the screen.
When the change instruction is received on the importance change screen, the security policy management server is instructed to change the importance defined by the importance definition data according to the change instruction,
The security policy management server
The security monitoring system according to claim 11 or 12, wherein the importance defined by the importance definition data is changed in accordance with an instruction from the client computer. The client computer executes the security monitoring program,
The security monitoring program is provided on the client computer.
Detecting that access to the electronic file has occurred;
Inquiring to the security policy management server whether or not to permit access to the electronic file;
Controlling access to the electronic file according to the result of the inquiry;
The security monitoring system according to claim 11 , wherein the security monitoring system is executed. A gateway device that relays access to the electronic file from the client computer;
The gateway device is
When the client computer accesses the electronic file, obtain the full path name of the electronic file and notify the security policy management server,
The security policy management server
The security monitoring system according to claim 11, wherein importance of the electronic file is determined based on a full path name of the electronic file received from the gateway device.

Images