JP6221803B2 - Information processing apparatus, connection control method, and program - Google Patents

Description

  The present invention relates to an information processing apparatus, a connection control method, and a program.

  In recent years, for example, terminals such as personal computers (PCs), notebook PCs, tablets, and smartphones have been downsized and enhanced in functionality, and mobility has been improved. Also, terminals equipped with various communication interfaces are widespread, and users can obtain and transmit information using the terminals in various situations. Furthermore, terminals equipped with various sensors such as a camera, a position sensor, a temperature sensor, a humidity sensor, and an acceleration sensor have become widespread, and the usage scenes of the terminals are expanding.

  On the other hand, the development of network infrastructure has progressed, for example, the coverage area of carrier networks has expanded, and an environment in which public wireless LAN (Local Area Network) can be used in convenience stores, airports, hotels, Shinkansen, etc. It is coming. According to such a situation, it is expected that work can be efficiently performed anytime and anywhere using a terminal. On the other hand, it is also required to improve security when using the terminal.

  In this regard, a technique for determining an authentication method at a level suitable for user attributes and system configuration is known. In addition, there is known a technology for reliably realizing security management between domains (network systems) A, B, and C each having a different model in an open distributed environment system. (For example, see Patent Document 1 and Patent Document 2)

JP 2005-173805 A JP-A-7-141296

  In one aspect, an object of the present invention is to provide a technique capable of improving security when a user belonging to an organization connects a terminal to a network managed by another organization.

  An information processing apparatus according to one aspect of the present invention includes a reception unit and a notification unit. The receiving unit receives an access ticket issuance request when connecting a terminal belonging to the first organization to a network belonging to the second organization. The notification unit notifies an access ticket based on the authorization policy of the first organization and the authorization policy of the second organization to the controller of the second organization that performs control to transfer data to the terminal according to the notified access ticket. The notifying unit notifies the controller of the second organization that performs control for connecting the terminal to the network according to the notified access ticket, with an access ticket based on the authorization policy of the first organization and the authorization policy of the second organization. To do.

  According to one aspect, it is possible to improve security when a user belonging to a certain organization connects the terminal to a network managed by another organization.

This is an example of a case where a user desires to connect a terminal to a network of another company at a destination. It is a figure which illustrates the system by which the connection authorization process which concerns on one Embodiment is performed. It is a figure which illustrates the functional block structure of the arbitration server which concerns on embodiment. It is a figure which illustrates the functional block structure of the controller of the local side which concerns on embodiment. It is a figure which illustrates the functional block structure of the controller of the remote side which concerns on embodiment. It is a figure which illustrates the functional block structure of the terminal of the remote side which concerns on embodiment. It is a figure which illustrates the authorization level which concerns on embodiment. It is a figure which illustrates the authorization policy information which concerns on embodiment. It is a figure which illustrates arbitrator management information concerning an embodiment. It is a figure which illustrates the mediation request which concerns on embodiment. It is a figure which illustrates the access ticket which concerns on embodiment. It is an operation | movement flowchart which illustrates the connection authorization process performed in the system which concerns on embodiment. It is an operation | movement flowchart which illustrates the arbitration process which an arbitration server performs in the connection authorization process which concerns on embodiment. It is an operation | movement flowchart which illustrates the process which the controller of B company performs in the connection authorization process which concerns on embodiment. It is a figure which illustrates the connection network designation | designated information which concerns on embodiment. It is a figure which illustrates the network setting which concerns on embodiment. It is a figure explaining the change of the network setting which concerns on embodiment. It is an operation | movement flowchart which illustrates the process which the control part of the terminal of A company performs in the connection authorization process which concerns on embodiment. It is an operation | movement flowchart which illustrates the process which the control part of the controller of A company performs in the connection authorization process which concerns on embodiment. It is a figure which illustrates the hardware constitutions of the computer for implement | achieving the arbitration server which concerns on embodiment, the controller on the remote side, the controller on the local side, and a terminal.

  Hereinafter, some embodiments of the present invention will be described in detail with reference to the drawings. In addition, the same code | symbol was attached | subjected to the corresponding element in several drawing. In the following description, a company will be described as an example of an organization. However, the embodiment is not limited to a company, and can be applied to other associations, foundations, or unions. .

  There is a demand for a technique that can improve security when a user belonging to a certain organization connects a terminal to a network managed by another organization. For example, there may be a case where a user belonging to the company A wants to go to the company B as a business partner and connect his / her terminal to the company B network. FIG. 1 is an example of a case where a user belonging to company A desires to connect a terminal to a network at a destination.

  FIG. 1 shows an internal network 101 of company A, an internal network 102 of company B, a terminal 103 of company A that has visited company B, and a WAN (Wide Area Network) 105 such as a carrier network. . Here, for example, a user of company A's terminal 103 who visited company B for business or the like may wish to give a presentation at company B for the purpose of selling their products. In this case, for example, the user desires to display the material requested and received from the company A network via the WAN 105 on a display device and a device such as a projector belonging to the company B internal network 102. However, in such a case, for example, the following problems may occur.

  For example, there is a situation in which an administrator of company B's internal network 102 desires to limit the internal network resources that can be accessed by company A's terminal 103 that has been visited from a security perspective, for each company belonging to the visitor and for each business. Exists. In this case, for the network administrator of company B, for example, for security, an authorization range of the network to be connected is set each time, or authentication information of all visitors (for example, ID: identification and password) Need to be managed. However, such setting of the authorized range for each visitor and management of authentication information are laborious work, and increase the burden on the network administrator of company B. Alternatively, for example, there is a situation where it is not desirable to teach A company the ID and password for connecting to the internal network 102 of B company from the viewpoint of security.

  On the other hand, if a user of Company A terminal tries to give a presentation at Company B, for example, if access to a device such as a display device in Company B's in-house network 102 is not permitted, a document is printed in advance. It is inconvenient because it is necessary to deal with it. Also, for example, even if the company B's internal network 102 is used by performing authentication using an ID or password, the company B must be told the ID and password for logging in to the company B's internal network 102. It is not preferable because it does not become. In addition, for example, Company B may provide an external network that is open to visitors, in addition to the in-house network 102, so that external people can use it. However, simply by connecting to such an external network, for example, it is not possible to use a network device of a specific department in company B, and as a result, the user of company A's terminal 103 is in company B. There is a possibility that it may not be possible to use the terminal 103 of company A.

  In addition, the in-house network administrator of company A wants to prevent the company 103's terminal 103 from being connected to an external network and being infected with a computer virus. For this reason, there is a desire to limit the connection destination of the terminal 103 of the company A to only a secure network that satisfies the security policy of the company A. Further, for example, when the company 103 terminal 103 can use the company B company network 102 by performing authentication with an ID or password, the user A company terminal 103 can use the same login ID or There is a risk of reusing passwords. In such a case, the company B is informed of the ID and password used in other networks, which is not preferable.

  Furthermore, for example, in the situation illustrated in FIG. 1, there is a demand that the network administrator of A company wants to control the handling of data such as materials downloaded to the terminal 103 of A company. For example, handling of data once downloaded to the terminal 103 of Company A is left to the judgment of the user of the terminal 103. For this reason, there is a possibility that the user of the terminal 103 of the company A makes a judgment error and passes the data to the company B even though it is a material that should not be passed to other companies. In order to prevent such a situation, a mechanism that allows the network administrator of company A to control the handling of in-house data in the other company's network is desired. For example, from the above, there is a demand for a mechanism that allows the company 103's terminal 103 to securely use the devices of the company B's in-house network 102 while reducing the work burden on the company B's network manager.

  In some embodiments exemplified below, the information processing apparatus holds an authorization policy that defines a policy for handling data and devices for a plurality of companies (for example, Company A and Company B described above). Set up an arbitration server. When the arbitration server receives an authorization policy arbitration request from two companies, the arbitration server compares the authorization policies and mediates the authorization level to the stricter authorization policy. Then, the two companies that have made the arbitration request control, for example, the setting of the in-house network and the transfer of data to the terminal according to the arbitrated authorization level. The arbitration server may be operated by a reliable third party, for example.

  FIG. 2 is a diagram illustrating a system 200 in which a connection authorization process according to an embodiment is executed. The system 200 in FIG. 2 includes an arbitration server 210, a controller 201 of company A and a controller 202 of company B that function in cooperation with the arbitration server 210, and a terminal 203 of company A. These devices are connected via the WAN 205. Has been. Further, the controller 201 of company A manages the in-house network 101 of company A, and the controller 202 of company B manages the in-house network 102 of company B. Here, for example, when a user belonging to company A visits company B, the company A's terminal 203 possessed by the user is connected to company B's internal network 102 for presentation and the company B's equipment is used. There are situations that you want to do. In this case, for example, the user transmits an arbitration request for requesting arbitration between the authorization policy of company A and the authorization policy of company B from the terminal 203 of company A via the controller 202 of company B (see FIG. (1)). The arbitration request may include, for example, a company A certificate that proves that the request is from company A and a company B certificate that proves that the request is from company B. The company A certificate and the company B certificate may be certificates issued by a certificate authority (CA), for example.

  Upon receiving the arbitration request, the arbitration server 210 performs authentication using the A company certificate and the B company certificate included in the arbitration request ((2) in FIG. 2). When the authentication is successful and it is confirmed that the request is an arbitration request from Company A and Company B, the arbitration server 210 compares the authorization policy of Company A that has requested the mediation with the Company B authorization policy, and Mediation is performed ((3) in FIG. 2). The authorization policy is, for example, information that defines the level of permission for use of the company's own data and the company's equipment to other companies. Further details of the authorization policy will be described later. For example, the authorization policy for handling data for Company B by Company B may allow Company B to display the data of Company A. In this case, the company A may display the data on the output device of the company B, but does not permit the data to be stored in the storage device of the company B. In addition, the authorization policy for device handling by Company B by Company B may be, for example, permitting access to the output device and storage device in Company B's internal network 102. In this case, for example, company B may be connected to an output device in company B's in-house network 102 for displaying data of company A's terminal 203, and company B's in-house network for data storage. This indicates that the storage device in 102 may be connected. Here, if company A's terminal 203 stores data in the storage device in company B's internal network 102, the authorization policy for company B's equipment is satisfied, but the authorization policy for company A's data is no longer met. End up.

  For example, in such a case, the arbitration server arbitrates the authorization level of the authorization policy so as to match the stricter authorization policy. That is, in this example, in accordance with the authorization level of the authorization policy of the company A that permits only stricter data display, the authorization level of the authorization policy of the equipment of the company B does not permit access to the storage device, and the output device Mediate to an authorization level that allows access to. Then, the arbitration server 210 issues an access ticket that notifies the arbitrated authorization level to each of the controller 201 of company A, the controller 202 of company B, and the terminal 203 of company A ((4) in FIG. 2).

  When the B company controller 202 receives the access ticket, for example, the company A terminal 203 cannot connect to a storage device such as a file server, but can connect only to an output device such as a display. Setting is executed ((5a) in FIG. 2). In one embodiment, this network setting is performed using a VLAN (Virtual Local Area Network). A VLAN is, for example, a LAN (Local Area Network) in which terminals connected to a network are virtually (logically) grouped independently of a physical LAN configuration. One VLAN has one broadcast domain. become. VLAN is standardized by IEEE802.1Q. IEEE 802.1Q is IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks. For example, when the network setting is performed using the VLAN, the controller 202 of the company B assigns the VLAN-ID of the network to which only the output device in the company network 102 of the company B belongs to the terminal 203 of the company A. Set up. Further, the controller 202 of company B performs VLAN setting so as not to perform routing between the VLAN-ID network assigned to the terminal 203 of company A and, for example, a network having another VLAN-ID. For example, by setting in this way, it is impossible to access devices other than the output device of company B from the terminal 203 of company A. Therefore, for example, it is possible to prevent the data in the terminal 203 of company A from being stored in the storage device of company B by mistake. Therefore, the authorization policies of both Company A and Company B are satisfied and security can be maintained.

  On the other hand, the terminal 203 of company A that has received the access ticket adds an access ticket to a data transfer request such as a material to be used for the presentation and transmits it to the controller 201 of company A (FIG. 2). (5b)). When the controller 201 of company A receives the data transfer request from the terminal 203 of company A, the contents of the access ticket received from the arbitration server and the access ticket attached to the transfer request from the terminal 203 of company A are identical. Check if you are doing it. If the contents of the access tickets match, it is determined whether or not the data requested to be transferred may be transferred according to the arbitrated authorization level included in the access ticket. For example, if the authorization level permits the display of data, the content of the data may be shown to a person of company B. Therefore, the controller 201 of the company A internal network 101 instructs, for example, a file server in the company A internal network 101 to transfer data to the terminal 203 of company A ((6) in FIG. 2). . Upon receiving the instruction, for example, the file server transfers the data to the terminal 203 of company A ((7) in FIG. 2). Here, if the controller 202 of company B has completed the setting of the company network 102 of company B according to the received access ticket, the terminal 203 of company A may, for example, output an output device in the company network 102 of company B. Belonging to the VLAN-ID network that contains it. Therefore, it is possible to make a presentation by accessing the output device in the same network and displaying the data downloaded to the terminal 203 of company A on the output device of company B.

  Hereinafter, the connection authorization process according to the embodiment will be described with reference to FIGS. 3 to 19. FIG. 3 is a diagram illustrating a functional block configuration of the arbitration server 210 according to the embodiment. The arbitration server 210 includes a control unit 300 and a storage unit 310, for example. The control unit 300 includes functional units such as a reception unit 301, an authentication unit 302, an arbitration unit 303, and a notification unit 304, for example. The storage unit 310 of the arbitration server 210 stores, for example, information such as the program 320, authorization policy information 800 described later, and arbitrated person management information 900. The control unit 300 of the arbitration server 210 functions as functional units such as the reception unit 301, the authentication unit 302, the arbitration unit 303, and the notification unit 304 by reading and executing the program 320. Details of these functional units and details of information stored in the storage unit 310 will be described later.

  FIG. 4 is a diagram illustrating a functional block configuration of the local controller 202 according to the embodiment. Note that the local side represents, for example, a side that accepts a terminal of another company into its own network. In the example of FIG. The local controller 202 includes, for example, a control unit 400 and a storage unit 410. The control unit 400 includes functional units such as an arbitration request transfer unit 401, an authentication result notification unit 402, an access ticket transfer unit 403, and a network setting unit 404. The storage unit 410 of the local controller 202 stores, for example, information such as a program 420, a certificate 450 that certifies the company, and connection network designation information 1500 described later. The certificate may be a certificate issued by a certificate authority, for example. The control unit 400 of the local controller 202 functions as functional units such as an arbitration request transfer unit 401, an authentication result notification unit 402, an access ticket transfer unit 403, and a network setting unit 404 by reading and executing the program 420. To do. Details of these functional units and details of information stored in the storage unit 410 will be described later.

  FIG. 5 is a diagram illustrating a functional block configuration of the remote-side controller 201 according to the embodiment. The remote side represents, for example, a side that accepts its own terminal into another company's network, and may be the company A side in the example of FIG. The remote controller 201 includes, for example, a control unit 500 and a storage unit 510. The control unit 500 includes functional units such as an access ticket verification unit 501 and a data transfer instruction unit 502, for example. The storage unit 510 of the remote controller 201 stores information such as a program 520, for example. The control unit 500 of the remote controller 201 functions as functional units such as the access ticket verification unit 501 and the data transfer instruction unit 502 by reading and executing the program 520. Details of these functional units and details of information stored in the storage unit 510 will be described later.

  FIG. 6 is a diagram illustrating a functional block configuration of the remote terminal 203 according to the embodiment. Further, the remote-side terminal 203 is, for example, the company A's terminal 203 in FIG. The remote terminal 203 includes, for example, a control unit 600 and a storage unit 610. The control unit 600 includes functional units such as an arbitration request unit 601, a response reception unit 602, a data transfer request unit 603, and an external device display unit 604. The storage unit 610 of the remote terminal 203 stores, for example, information such as a program 620 and a certificate 650 that certifies the company. The certificate may be a certificate issued by a certificate authority, for example. The control unit 600 of the remote terminal 203 functions as functional units such as an arbitration request unit 601, a response reception unit 602, a data transfer request unit 603, and an external device display unit 604 by reading and executing the program 620. . Details of these functional units and details of information stored in the storage unit 610 will be described later.

  FIG. 7 is a diagram illustrating authorization levels according to the embodiment. In one embodiment, the arbitration server 210 stores an authorization policy for each other company of a plurality of companies that use the arbitration process. The authorization policy is set using, for example, an authorization level that is shared among a plurality of companies using the arbitration process. FIG. 7A illustrates an authorization level relating to data handling, and FIG. 7B illustrates an authorization level relating to equipment handling.

  For example, in FIG. 7A, the authorization level value: 1 is associated with a display permission and a storage permission as a data permission range. That is, for example, if there are Company A and Company B, the authorization level of data for Company B of Company A is set to 1. In this case, for example, the data of company A may be stored in the storage device of company B or displayed on the output device of company B.

  In FIG. 7A, the authorization level value: 2 is associated with a display permission as a data permission range. This indicates that, for example, when the authorization level of data for Company B of Company A is set to 2, the data of Company A may be displayed on the output device of Company B. On the other hand, for example, storing data in the storage device of company B is not permitted.

  The authorization level value: 3 is associated with all possible data permission ranges. For example, if the authorization level of data from Company A to Company B is set to 3, it is prohibited to leak Company A's data to Company B, and the data is displayed on the output device of Company B. Or stored in the storage device of company B.

  Further, in the authorization level regarding the handling of the device in FIG. 7B, the authorization level value of 1 is associated with the permission of use of the output device and the storage device as the scope of permission of use of the device. That is, for example, if there are Company A and Company B, it is assumed that the authorization level for use of the device for Company A of Company B is set to 1. In this case, for example, when a person from Company A visits Company B, a terminal may be connected to the storage device of Company B, or a terminal may be connected to the output device of Company B. It is shown that.

  The authorization level value: 2 is associated with an output device as a range of permission to use the device. For example, if the authorization level of device usage for Company A of Company B is set to 2, when a person of Company A visits Company B, it may be connected to an output device or the like. Show. On the other hand, for example, connection to a storage device of company B is prohibited.

  The authorization level value: 3 is associated with all “impossible” ranges for the use of the device. For example, if the authorization level of data for company A of company B is set to 3, when a person of company A visits company B, it is permitted to use the equipment of company B. It shows no.

  In the example shown in FIG. 7, the data handling authorization level value shown in FIG. 7A is configured to correspond to the device usage authorization level value shown in FIG. 7B. That is, for example, when the authorization level for handling data is 1 and display and storage are permitted, an output device that is a device used for display and a storage device that is used for storage are connected to the device. It is set to be usable at the authorization level: 1. Further, when the authorization level for handling data is 2 and the display is permitted, the output device, which is a device used for display, can be used at the authorization level: 2 while the data is stored. The device such as a storage device used for the above is set so that it cannot be used. When the authorization level for data handling is 3 and the use of data cannot be permitted to other companies, the device used for data usage is set so that it cannot be used at the device authorization level: 3. As another embodiment, for example, when the data authorization level and the device authorization level correspond to each other as described above, one authorization is obtained by combining both the data authorization level and the device authorization level. It may be set as a level. That is, for example, if the authorization level is 1, in the case of data, it can be displayed and stored, and devices such as an output device and a storage device can be used. If the authorization level is 2, data can be displayed, and the device of the output device can be used. The level of data handling with respect to one authorization level. And the device usage level may be associated with each other.

  In the example shown in FIG. 7, three levels 1 to 3 are set as the authorization level, but the embodiment is not limited to this. For example, in another embodiment, the data authorization level may be set to 0, and display, storage, and modification may be permitted. The change permission means that, for example, a person of company B is allowed to edit or modify data. In the example shown in FIG. 7, the strict authorization range is set as the authorization level value is large, but the embodiment is not limited to this. For example, in another embodiment, a stricter authorization range may be set as the authorization level value is smaller. In the following description, the embodiment will be described taking the case where the authorization level is set as shown in FIG. 7 as an example.

  Next, the authorization policy information 800, which is information for specifying the authorization level of data handling and device use for other companies, will be described. FIG. 8 is a diagram illustrating authorization policy information 800 according to the embodiment. The authorization policy information 800 is set using, for example, the authorization level exemplified in FIG. FIG. 8A illustrates the authorization policy information 800 for the company A's other company.

  For example, in the authorization policy information 800 of company A, the authorization policy of data for company B of company A is set to authorization level: 2. Therefore, for example, the data of Company A may be displayed on an output device such as a display device of Company B, but it is prohibited to store it in a storage device of Company B. Further, in the authorization policy information 800 of company A, the authorization policy of data for company C of company A is set to authorization level: 1. Therefore, for example, the data of company A may be displayed on the output device of company C, or may be stored in the storage device of company C.

  Further, in the device use authorization policy, the device use authorization policy for Company B of Company A is set to an authorization level: 2. Therefore, for example, it is permitted to connect the terminal of company B to the output device in the in-house network 101 of company A, but it is prohibited to connect to the storage device in the in-house network 101 of company A. In addition, the authorization policy for use of the device for company A by company C is set to authorization level 1. Therefore, for example, the terminal of company C may be connected to an output device in company network 101 of company A, or may be connected to a storage device or the like in company network 101 of company A.

  FIG. 8B illustrates the authorization policy information 800 for company B's other company. For example, in the authorization policy information 800 of company B, the authorization policy of data for company A of company B is set to authorization level: 1. Therefore, for example, the data of Company B may be displayed on an output device such as a display device of Company A, or may be stored in a storage device of Company A. In addition, the authorization policy of data for Company B of Company B is set to an authorization level: 3. Therefore, for example, it is not permitted for the company C to handle the data of the company B, and it is prohibited to display the data on the output device of the company C or to store it in the storage device of the company C.

  In the device use authorization policy, the device use authorization policy for Company A of Company B is set to an authorization level of 1. Therefore, for example, the terminal of Company A may be connected to an output device such as a display device of Company B, or may be connected to a storage device of Company B. In addition, the authorization policy for use of the device for Company B by Company B is set to an authorization level: 2. Therefore, for example, the terminal of company C may be connected to an output device in the network of company B, but connection to a storage device or the like is prohibited.

  8B, the authorization level of the data authorization policy and the authorization level of the device use authorization policy may be set to different values. . For example, in the authorization policy for company C of company B in FIG. 8 (b), company B prohibits company C from using its own data, but when company C's terminal visits company B, It is permitted to connect to the output device of company B and use it.

  In addition, as shown by a round frame in FIG. 8, the authorization policy of data for Company B of Company A is set to 2, while the authorization policy for use of equipment for Company A of Company B is set to 1. Yes. In this case, for example, Company A permits data to be displayed on an output device such as a display device of Company B, but does not permit storage in a storage device or the like of Company B. On the other hand, Company B permits, for example, the terminal of Company A to connect to and use an output device and a storage device in the company B's in-house network. In one embodiment, for example, in such a case, the arbitration server 210 performs arbitration to match the authorization level with a stricter authorization policy. That is, for example, since the authorization level of the data authorization policy for the company B of the company A is 2 and the authorization level of the authorization policy for the use of the device for the company A of the company B are different: 1 Stricter authorization level: The authorization level is adjusted to match 2.

  Furthermore, although the example of setting the authorization policy information 800 for each company is shown in the example of FIG. 8, the embodiment is not limited to this. For example, a data authorization policy may be set for each data type. That is, for example, the data in A is classified according to the importance, etc., and the authorization policy for the other companies of the data classified as high importance and the authorization policy for the other companies of the data classified as low importance are separated. You may comprise so that it may set. For example, an authorization level may be set for each type of business. That is, for example, in the data of the department that has a highly confidential work in Company A, a strict value is set as the authorization level for other companies, and the authorization level is set in the data of the department that performs general work. Different authorization levels may be set depending on the department, such as setting a loose value. The device authorization level also restricts the use of devices in the network used by departments with highly confidential work, while the equipment in the network of departments that perform general work is not available to other companies. Different authorization levels may be set depending on the department so as to permit use.

  The authorization policy information 800 such as the authorization policy information 800 of Company A and Company B exemplified above is stored in, for example, the storage unit 310 of the arbitration server 210 for each of a plurality of companies that execute the arbitration process according to the embodiment. It may be. In the following description, the embodiment will be described taking the case where the authorization policy information 800 is set as shown in FIG. 8 as an example.

  FIG. 9 is a diagram illustrating arbitrated person management information 900 according to the embodiment. In the arbitrated person management information 900, arbitrated person information 901, which is information about a company that requests the arbitration server 210 to arbitrate an authorization policy, is registered. The arbitrated person information 901 may include, for example, identification information, authentication information, an encryption key, and an address, and these pieces of information included in the arbitrated person information 901 are associated with each other. The identification information may be information for identifying the target company of the information registered in the arbitrated person information 901. For example, the identification information may be the name of the target company of the information registered in the arbitrator information 901. For example, the authentication information is information used for authentication of a target company of information registered in the arbitrated person information 901. In the authentication information, for example, information for authenticating the certificate of the target company of the information registered in the arbitrated person information 901 is registered. In the encryption key, for example, information on an encryption key used for encryption of communication between the company targeted for information registered in the arbitrated person information 901 and the arbitration server 210 is registered. The address may be, for example, a destination address used when the arbitration server 210 notifies an access ticket that is the result of the arbitration to the target company of information registered in the arbitrator information 901. For example, in the address, a destination to a controller (for example, the controller 201 and the controller 202) that manages the internal network of the target company of the information registered in the arbitrated person information 901 may be registered.

  FIG. 10 is a diagram illustrating an arbitration request 1000 according to the embodiment. The arbitration request 1000 includes, for example, the terminal ID of the connection request source terminal, the arbitrator identification information, and the arbitrator certificate. The terminal ID of the connection request source terminal is information for identifying the connection request source terminal, and may be, for example, the MAC address of the connection request source terminal. The MAC address is an abbreviation for Media Access Control address. In the identification information of the arbitrated person, information for identifying the company that receives the mediation of the authorization policy may be registered. In the arbitration request 1000 of FIG. 10, the name of the local company and the name of the remote company are registered as identification information of the arbitrated person. Here, the local side represents, for example, a side that accepts the terminal 203 described in the connection request source of the arbitration request 1000 in the company network. The remote side is, for example, the side of the company to which the terminal 203 described in the connection request source of the arbitration request 1000 belongs, and represents the side where the company's terminal 203 is accepted by another company's network. The certificate of the arbitrator is a certificate that proves the arbitrator. For example, a certificate issued by a certificate authority may be used as the certificate. The mediation request 1000 is used, for example, to request the mediation server 210 to mediate an authorization policy. As will be described later, the arbitration server 210 issues, for example, an access ticket for controlling the connection of the remote terminal to the network of the local organization as a response to the arbitration request 1000. Therefore, the arbitration request may be, for example, a request for permission to connect a terminal belonging to a remote organization to a network belonging to a local organization.

  FIG. 11 is a diagram illustrating an access ticket according to the embodiment. FIG. 11 illustrates an access ticket issued by the arbitration server 210 in response to an arbitration request between company A and company B. FIG. 11A shows, for example, an access ticket issued to the controller 201 of company A that manages the company network 101 of company A. FIG. 11B shows an access ticket issued to the terminal 203 of company A, for example. FIG. 11C shows an access ticket issued to the B company controller 202 that manages the B company internal network 102, for example.

  The access ticket may include, for example, a connection request source, an arbitrated person, an arbitrated authorization level, ticket identification information, and expiration date information. The connection request source may be information for identifying a terminal that requests connection to a network of another company, for example. In the example of FIG. 11, the connection request source is, for example, the MAC address of a terminal that requests connection to another company's network. In the arbitrated person, for example, information for identifying two companies that receive arbitration of the authorization policy is registered. The local side of the arbitrator may be, for example, a company that accepts a terminal of another company in its own network and authorizes the use of the device. Further, the remote side may be, for example, a company that has its own terminal accepted by another company's network. In the arbitration authorization level, for example, an authorization level as a result of arbitration performed by the arbitration server in response to the arbitration request is registered. The ticket identification information is, for example, identification information for identifying an access ticket, and may be a serial number assigned to the arbitration request received by the arbitration server. As the expiration date, for example, the expiration date for which the access ticket issued by the arbitration server is valid is registered.

  Further, as illustrated in the access ticket for the terminal 203 of the company A in FIG. 11B and the access ticket for the controller 202 of the company B in FIG. 11C, the access ticket includes encryption key information. Good. The encryption key included in the access ticket for the company A terminal 203 and the access ticket for the company B controller 202 in FIG. 11 is, for example, when data is transmitted / received between the company A terminal and a device in the company B network. This is the encryption key used to encrypt the data. This encryption key may be, for example, an encryption key for temporary use generated by the arbitration server for data transmission / reception between the terminal of company A and a device in company B's internal network 102.

  FIG. 12 is an operation flowchart illustrating the connection authorization process executed in the system 200 according to the embodiment. For example, as described with reference to FIG. 2, when the terminal 203 of company A visits company B, the terminal 203 of company A possessed by the user for the presentation is replaced with a predetermined network in company B. Suppose you want to connect to the device and use it. In this case, the company A terminal 203 uses, for example, identification information (for example, a MAC address) that can identify the company A terminal 203 as a connection request source, and company A identification information as a remote arbitrator, And an arbitration request including the certificate of company A as a certificate on the remote side. Then, the terminal 203 of the company A connects to the access point of the company B that is set so that anyone can connect, for example, and sends the generated arbitration request as an HTTP request (step 1201. The steps are hereinafter referred to as “S”. "Is abbreviated as" S1201 ", for example). Note that HTTP is an abbreviation for Hypertext Transfer Protocol. The controller 202 of company B includes the identification information of company B as the local arbitrator and the certificate of company B as the local certificate in the arbitration request sent from the terminal 203 of company A. An arbitration request 1000 is generated. Then, the controller 202 of company B redirects the generated arbitration request 1000 to the arbitration server 210 (S1202). The certificate of company A included in the arbitration request 1000 may be encrypted using an encryption key defined between company A and a third party operating the arbitration server 210. The certificate of company B included in the arbitration request 1000 may be encrypted using an encryption key defined between company B and a third party operating the arbitration server 210. Moreover, this encryption key may be registered in the encryption key of the arbitrator management information 900, for example.

  When the arbitration server 210 receives the arbitration request 1000 including the certificate of the company A and the certificate of the company B, each of the certificate of the company A and the certificate of the company B is used as authentication information of the arbitrator management information 900. Authentication is performed based on this (S1203). If either of the certificate of company A and the certificate of company B fails in authentication (NO in S1204), the arbitration server 210 notifies the controller 202 of company B that the authentication has failed, and the flow is S1207. Proceed to When the arbitration server 210 has successfully authenticated each of the certificate of company A and the certificate of company B (YES in S1204), the flow proceeds to S1205.

  In S1205, the arbitration server 210 compares, for example, the authorization policies of the company A that requested the arbitration and the company B, and mediates the authorization level according to the stricter authorization policy. For example, the arbitration server 210 reads the authorization policy information 800 of company A on the remote side of the arbitration request 1000 from the storage unit 310, and identifies the authorization level of data for company B of company A from the authorization policy information 800. Further, the arbitration server 210 reads, for example, the authorization policy information 800 of the company B on the local side of the arbitration request 1000 from the storage unit 310, and identifies the authorization level of the device for the company A of the company B from the authorization policy information 800. And the authorization level of the data with respect to B company of the obtained A company and the authorization level of the apparatus with respect to A company of B company are compared. For example, the data authorization policy of company A for company B is authorization level 2 in the example of FIG. In addition, the device authorization policy for Company A by Company B is authorization level 1 in the example of FIG. In this case, the arbitration server 210 mediates the authorization level to the authorization level 2 of Company A, which is a stricter authorization level.

  In S1206, the arbitration server 210 transmits, for example, an access ticket including the arbitrated authorization level to the controllers of the two companies that have requested arbitration (for example, the controller 201 of the company A and the controller 202 of the company B). Issue. In addition, the arbitration server 210 transmits an access ticket to the terminal 203 that has transmitted the arbitration request, for example, via the controller 202 of company B, and issues an access ticket.

  In step S <b> 1207, the controller 202 of company B receives an access ticket or a notification that authentication has failed as a response from the arbitration server 210 to the arbitration request 1000. In S1207, when the controller 202 of company B receives a notification that authentication has failed (NO in step S1207), the controller 202 of company B transmits a notification that authentication has failed to the terminal 203 of company A. . In S1207, when the controller 202 of company B receives the access ticket (YES in S1207), the flow proceeds to S1208. In step S <b> 1208, the company B controller 202 transfers the access ticket for the company A terminal 203 received from the arbitration server 210 to the company A terminal 203.

  Subsequently, in step S1209, the controller 202 of company B executes network setting of the in-house network 102 of company B according to the authorization level indicated in the received access ticket. For example, when the controller 202 of company B receives the access ticket of FIG. 11C, the authorization level is set to 2, and the terminal 203 of company A is connected to the output device in the company B network 102. May be. Therefore, for example, the controller 202 of company B sets the same VLAN-ID as the output device in the company network 102 of company B in the terminal 203 of company A that is the access ticket connection request source. Further, the controller 202 of company B sets the VLAN so as to prohibit routing between the VLAN-ID network set in the terminal 203 of company A and another network. For example, by setting in this way, the terminal 203 of company A can be connected to a network in company B having the set VLAN-ID. Then, the terminal 203 of company A can display data by connecting to an output device such as a display device or a projector in which the same VLAN-ID is set. On the other hand, in the set VLAN-ID network, other devices (such as storage devices) of company B do not belong, and the connection with other networks in company B is prohibited. . For this reason, the terminal 203 of company A is not connected to a storage device in company B, for example, and data in the terminal 203 is not stored in the storage device of company B. That is, use of data and devices permitted at the access ticket authorization level 2 can be performed, and unauthorized use of data and devices cannot be performed.

  Subsequently, in S1210, the terminal 203 of company A receives an access ticket or a notification that authentication has failed as a response to the arbitration request. In step S1210, when the company A terminal 203 receives a notification from the company B controller 202 that authentication has failed (NO in step S1210), the company A terminal 203 connects to the company B internal network 102. Exit. In S1210, when the terminal 203 of company A receives an access ticket (YES in S1210), the flow proceeds to S1211. In step S1211, the terminal 203 of company A adds an access ticket and requests the controller 201 of company A to transfer data.

  In S1212, the controller 201 of company A receives the transfer request from the terminal 203 of company A, the ticket identification information of the access ticket attached to the received transfer request, and the ticket of the access ticket received from the arbitration server 210 in S1206. Compare with identification information. Then, the controller 201 of company A verifies whether or not these ticket identification information matches (S1212). If the ticket identification information of the access tickets does not match (NO at S1213), the controller 201 of company A ends the data transfer to the terminal 203 of company A. On the other hand, if the ticket identification information matches (YES in S1213), the controller 201 of company A transfers the data to the terminal 203 of company A, and the file in the company's internal network 101 of company A manages by the controller 201 of company A. The server is instructed (S1214). In step S <b> 1215, the file server of company A that has received an instruction from the controller 201 of company A transfers data to the terminal 203 of company A.

  In response to the data transfer request transmitted to the controller 201 of company A, the company A terminal 203 that has received data from the file server of company A connects to the display device of company B in step S1216. As described above in S1209, the company A's terminal 203 is set with a predetermined VLAN-ID of company B, and an output device such as a display device belongs to the VLAN-ID network. Yes. For this reason, the terminal 203 of company A can be connected to a display device belonging to the same network, for example. In step S <b> 1217, the company A terminal 203 instructs the display device in the connected company B network 102 to display the data received from the company A file server. In S1218, the display device of company B displays the received data, and the operation flow ends.

  As described above, the terminal 203 of the company A can connect to the company B network 102 of the company B according to the authorization level arbitrated by the arbitration server 210 and use the device in the company B of the destination. As described above, in S1209, network setting is performed according to the authorization level notified by the access ticket. As illustrated above, if the authorization level is 2, the VLAN-ID of the network to which the output device of company B belongs is set in the terminal 203. For this reason, the terminal 203 of company A can connect to an output device such as a display device in the same network and display data using those devices. On the other hand, the storage device of the B company does not belong to the VLAN-ID network set in the terminal 203 of the A company. Therefore, it is not possible to connect to the storage device or the like of company B, and the data of the terminal 203 of company A is not erroneously stored in the storage device or the like of company B.

  As another embodiment, for example, when the authorization level included in the access ticket is the authorization level: 3 in FIG. 7, the use of all data and the use of devices are prohibited. In this case, for example, the controller 202 of the company B does not change the VLAN-ID of the terminal 203 of the company A by the network setting of S1209, and does not connect the device belonging to the company network 102 of the company B. Therefore, since the user of the terminal 203 of company A is prevented from connecting to the network of company B, the data of company A leaks to company B due to carelessness of the user of the terminal 203 of company A. Can be prevented. Alternatively, it is possible to prevent a situation in which the terminal 203 of company A is inadvertently connected to the network of company B where security management is not thorough and infected with a virus or the like.

  In still another embodiment, for example, when the authorization level of the access ticket is 3, the controller 201 of company A does not issue a file transfer instruction to the file server in step S1214, and instead the terminal 203 of company A A notification that the data cannot be transferred may be sent to. For example, with this configuration, the transmission of data to the terminal 203 of company A is controlled by the controller 201 of company A according to the authorization level. The company data can be prevented from leaking to other companies.

  Furthermore, as another embodiment, for example, when the authorization level of the access ticket is the authorization level of FIG. 7, the data of company A may be displayed or stored in company B. Permits the terminal 203 of company A to use the output device and storage device of company B. In this case, the controller 202 of company B sets the same VLAN-ID as the network to which the output device and storage device in company B belong to the terminal 203 of company A in the network setting of S1209. Further, the VLAN is set so as to prohibit the routing between the VLAN-ID network set in the terminal 203 of company A and other networks. By setting in this way, the terminal 203 of company A connects to an output device and a storage device belonging to the connected network, displays data using the output device, and stores data in the storage device. can do.

  In the operation flow of FIG. 12, in the processing of S1201, the control unit 600 of the terminal 203 of company A functions as, for example, the arbitration request unit 601. In the processing of S1202, the control unit 400 of the controller 202 of company B functions as the arbitration request transfer unit 401, for example. In the processing of S1203 and S1204, the control unit 300 of the arbitration server 210 functions as the reception unit 301 and the authentication unit 302, for example. In the processing of S1205, the control unit 300 of the arbitration server 210 functions as the arbitration unit 303, for example. In the process of S1206, the control unit 300 of the arbitration server 210 functions as the notification unit 304, for example. In the process of S1207, the control unit 400 of the controller 202 of company B functions as the authentication result notification unit 402, for example. In the processing of S1208, the control unit 400 of the controller 202 of company B functions as, for example, the access ticket transfer unit 403. In the processing of S1209, the control unit 400 of the controller 202 of company B functions as the network setting unit 404, for example.

  In the processing of S1210, the control unit 600 of the company A terminal 203 functions as the response reception unit 602, for example. In the processing of S1211, the control unit 600 of the company A terminal 203 functions as, for example, the data transfer request unit 603. In the processing of S1212 and S1213, the control unit 500 of the controller 201 of company A functions as, for example, the access ticket verification unit 501. In the processing of S1214, the control unit 500 of the controller 201 of company A functions as the data transfer instruction unit 502, for example. In the processing of S1216 and S1217, the control unit 600 of the company A terminal 203 functions as, for example, the external device display unit 604.

  Hereinafter, in the connection authorization process described with reference to FIG. 12, processes executed by the arbitration server 210, the company A controller 201, the company B controller 202, and the company A terminal 203 will be described individually.

  FIG. 13 is an operation flow illustrating the arbitration process executed by the arbitration server in the connection authorization process according to the embodiment. The operation flow in FIG. 13 is implemented, for example, by the control unit 300 of the arbitration server 210 reading and executing the program 320 stored in the storage unit 310. In one embodiment, the operation flow in FIG. 13 starts when the arbitration server 210 receives the arbitration request 1000.

  In S <b> 1301, the control unit 300 of the arbitration server 210 authenticates the arbitrated person based on the received arbitration request 1000. For example, the control unit 300 of the arbitration server 210 reads a certificate from the arbitration request 1000 and performs authentication using information registered in the arbitrated person management information 900. For example, in the case of performing authentication of company B, which is the local side of the arbitration request 1000, the arbitration server 210 refers to the identification information of the arbitrator management information 900 and includes the identification information of company B of the arbitration request 1000. The arbitrator information 901 is specified as the arbitrator information 901 of company B. Then, the B company certificate added to the arbitration request 1000 is authenticated using the B company authentication information included in the specified B company arbitrated person information 901. For example, when the certificate of company B included in the arbitration request 1000 is encrypted and transmitted from the viewpoint of security or the like, the arbitration server 210 transmits the encryption key of the arbitrator information 901 of company B. Decryption may be performed using the B company encryption key included in

  Further, in the case of performing authentication of the arbitrated person remote side of the arbitration request 1000: Company A, the arbitration server 210 refers to the identification information of the arbitrator management information 900, and the identification information of the company A of the arbitration request 1000 The tuned person information 901 including the above is specified as the tuned person information 901 of company A. Then, the A company certificate added to the arbitration request 1000 is authenticated using the A company authentication information of the specified A company arbitrated person information 901. For example, from the viewpoint of security, when the certificate of company A included in the arbitration request 1000 is encrypted and transmitted, the arbitration server 210 uses the encryption key of the arbitrator information 901 of company A. Decryption may be performed using the A company encryption key included in Note that the encryption key included in the arbitrator information 901 is used for communication between the company and the arbitration server 210 with the target company of information registered in the arbitrator information 901, for example. The agreed encryption key may be used.

  Subsequently, in S1302, when the authentication on either the remote side or the local side fails (S1302 is NO), the flow proceeds to S1304. In S1304, the control unit 300 of the arbitration server 210 returns a notification indicating that the authentication has failed to the device that has transmitted the arbitration request 1000. For example, as in the example shown in FIG. 12, when the arbitration request 1000 is transmitted from the controller 202 of company B to the arbitration server 210, the control unit 300 of the arbitration server 210 sends a notification indicating that the authentication has failed. It returns to the controller 202 of company B. In another embodiment, when the terminal 203 of company A directly transmits the arbitration request 1000 to the arbitration server 210, the control unit 300 of the arbitration server 210 directly sends a notification indicating that the authentication has failed. You may reply to the terminal 203. In S1304, when the control unit 300 of the arbitration server 210 transmits a notification indicating that the authentication has failed, the operation flow ends.

  On the other hand, in S1302, when both the remote side and local side authentication of the arbitration request 1000 is successful (S1302 is YES), the flow proceeds to S1303. In S <b> 1303, the control unit 300 of the arbitration server 210 executes arbitration between the authorization policies of the two companies indicated by the arbitrator in the arbitration request 1000. The control unit 300 of the arbitration server 210 reads, for example, the remote side: A company authorization policy information 800 indicated in the arbitration request 1000 from the storage unit 310. Then, the control unit 300 of the arbitration server 210 identifies the authorization level of data for the local side: Company B described in the arbitration request 1000 from the read authorization policy information 800 of the company A. For example, in the example of FIG. 8A, the authorization level of data: 2 for Company A and Company B is specified.

  Furthermore, the control unit 300 of the arbitration server 210 reads, for example, the authorization policy information 800 of the local company B company indicated in the arbitration request 1000 from the storage unit 310. Then, the control unit 300 of the arbitration server 210 specifies the authorization level of the device for the remote side: Company A described in the arbitration request 1000 from the read authorization policy information 800 of the company B. For example, in the example of FIG. 8B, the authorization level 1 of the device for Company A of Company B is specified.

  Then, the control unit 300 of the arbitration server 210 compares the authorization level of the specified remote data with the authorization level of the local device, and mediates the authorization level to a stricter authorization level. For example, when the arbitration of the authorization level is executed between the company A and the company B, the control unit 300 of the arbitration server 210 uses the data authorization level of the company A for the company B: 2 Since the authorization level is stricter than 1, the authorization level is adjusted to 2.

  In step S1305, the control unit 300 of the arbitration server 210 issues an access ticket with the arbitrated authorization level. The control unit 300 of the arbitration server 210 transmits, for example, an access ticket with an arbitrated authorization level to the device that has transmitted the arbitration request 1000. For example, in the example of FIG. 12, the arbitration request 1000 transmitted from the terminal 203 is redirected to the arbitration server by the controller 202 of company B. In this case, the control unit 300 of the arbitration server 210 sends an access ticket for the B company controller 202 with the authorization level after the arbitration and an access ticket for the terminal 203 with the authorization level after the arbitration. It may be transmitted to the controller 202. Furthermore, the control unit 300 of the arbitration server 210 may transmit, for example, an access ticket for the remote company A company's controller 201 of the arbitration request 1000 to the controller of the company A. Note that the address of the controller 201 of the company A may be acquired from the address of the arbitrated person information 901 of the company A in the arbitrated person management information 900, for example. When the access ticket is transmitted in S1305, the operation flow ends.

  In the operation flow of FIG. 13 described above, the control unit 300 of the arbitration server 210 functions as, for example, the reception unit 301 in receiving the arbitration request 1000 that triggers the start of the operation flow. In the processes of S1301, S1302, and S1304, the control unit 300 of the arbitration server 210 functions as the authentication unit 302, for example. In the process of S1303, the control unit 300 of the arbitration server 210 functions as the arbitration unit 303, for example. In the process of S1305, the control unit 300 of the arbitration server 210 functions as the notification unit 304, for example.

  FIG. 14 is an operation flow illustrating a process executed by the controller 202 of company B in the connection authorization process according to the embodiment. The operation flow of FIG. 14 is implemented, for example, when the control unit 400 of the controller 202 of company B reads and executes the program 420 stored in the storage unit 410. In one embodiment, the operation flow of FIG. 14 starts when the controller 202 of company B receives an arbitration request from the terminal 203 of company A.

  In S <b> 1401, the controller 202 of company B generates an arbitration request 1000 by adding the certificate of company B to the arbitration request received from the terminal 203 of company A, and transmits the generated arbitration request 1000 to the arbitration server 210. . In step S <b> 1402, the company B controller 202 determines whether a response to the arbitration request has been received from the arbitration server 210. If no response has been received (NO in S1402), the flow repeats the process of S1402. When a response is received (S1402 is YES), the flow proceeds to S1403. In step S <b> 1403, the controller 202 of company B determines whether authentication has succeeded in the arbitration server 210. When the notification indicating that the authentication has failed is received from the arbitration server 210 (NO in S1403), the flow proceeds to S1406. In S1406, the controller 202 of company B transmits a notification indicating that the authentication has failed to the terminal 203 of company A, and the operation flow ends.

  On the other hand, when the controller 202 of company B receives, for example, an access ticket for the controller 202 of company B and an access ticket for the terminal 203 from the arbitration server 210 (YES in S1403), the flow proceeds to S1404. In step S <b> 1404, the controller 202 of company B transfers the access ticket for the terminal 203 received from the arbitration server 210 to the terminal 203. In step S <b> 1405, the company B controller 202 executes network setting based on the authorization level included in the access ticket for the company B controller 202 received from the arbitration server 210. For example, the controller 202 of company B refers to the connection network designation information 1500 that associates the authorization level and the VLAN-ID stored in the storage unit 410 in S1405, and determines the VLAN-ID corresponding to the authorization level as A Set for the company terminal 203. In S1405, when the controller 202 of company B completes the network setting, the operation flow in FIG. 14 ends.

  In the operation flow of FIG. 14 described above, in the process of S1401, the control unit 400 of the controller 202 of company B functions as, for example, the arbitration request transfer unit 401. In the processes of S1402, S1403, and S1406, the control unit 400 of the controller 202 of company B functions as the authentication result notification unit 402, for example. In the process of S1404, the control unit 400 of the controller 202 of company B functions as, for example, the access ticket transfer unit 403. In the processing of S1405, the control unit 400 of the controller 202 of company B functions as the network setting unit 404, for example.

  FIG. 15 is a diagram exemplifying connection network designation information 1500 used by the company B controller 202 to execute network settings in step S1405. In the example of FIG. 15, VLAN-ID: 20 is associated with authorization level: 1, VLAN-ID: 10 is associated with authorization level: 2, and VLAN-ID: 100 is associated with authorization level: 3. It has been. The controller of company B acquires, for example, the VLAN-ID associated with the arbitrated authorization level value included in the access ticket from the connection network designation information 1500, and sends the VLAN-ID to the terminal 203. Set.

  FIG. 16 is a diagram exemplifying network setting by the controller 202 of company B. FIG. 16A illustrates the VLAN setting at the time when the arbitration request 1000 from the terminal 203 is redirected to the arbitration server 210. FIG. 16B illustrates the VLAN setting after the controller 202 of company B executes the network setting of S1405. As shown in the figure, in the VLAN setting at the time when the arbitration request 1000 from the terminal 203 in FIG. . The VLAN-ID: 100 may be set as an external network that anyone can connect to, for example. Further, the VLAN-ID: 100 network may be set as a network that can only transfer the arbitration request 1000 to the arbitration server 210, for example.

  On the other hand, in the VLAN setting after executing the network setting of S1405 in FIG. 16B, the VLAN-ID of the terminal 203 of company A is changed to VLAN-ID: 10 corresponding to the authorization level: 2 in FIG. ing. Here, the VLAN-ID: 10 includes an output device such as a plasma display panel 1 that is permitted to be used at an authorization level: 2, but does not include other file servers, personal computers, and the like. Network. The network with VLAN-ID: 10 is set not to perform routing with other networks. Therefore, the terminal 203 of company A can connect to the plasma display panel 1 and display data and the like. On the other hand, the terminal 203 of company A cannot be connected to a file server or the like, and the data in the terminal 203 of company A is prevented from being stored in the file server or the like by mistake.

  When the value of the arbitrated authorization level included in the access ticket is 1, VLAN-ID: 20 is set in the terminal 203 of company A as shown in FIG. Here, the VLAN-ID: 20 is a network configured to include an output device such as the plasma display panel 1 that is permitted to be used at an authorization level: 1 and a storage device such as a file server. For this reason, the terminal 203 of company A can connect to the plasma display panel 2 belonging to the VLAN-ID: 20 network to display data, or access the file server to store data. On the other hand, the network of VLAN-ID: 20 is set not to perform routing with other networks. For this reason, for example, a personal computer belonging to the VLAN-ID: 50 network and the terminal 203 of company A are prevented from being connected.

  Furthermore, when the value of the arbitrated authorization level included in the access ticket is 3, VLAN-ID: 100 is set in the terminal 203 of company A as shown in FIG. As described above, VLAN-ID: 100 is set as an external network that can only transfer the arbitration request 1000 to the arbitration server 210, for example. For this reason, the terminal 203 of company A can send an arbitration request 1000 to the arbitration server 210 via the controller 202 of company B. Can not. For example, by performing the VLAN setting as described above, it is possible to execute the network setting according to the authorization level notified by the access ticket.

  FIG. 17 is a diagram for explaining the network setting change exemplified in FIGS. 16A and 16B. As shown in FIG. 17, when the controller 202 of company B redirects the arbitration request 1000 from the terminal 203 to the arbitration server 210 (in FIG. 16A), the terminal 203 of company A has VLAN-ID: 100 is set. In the network of VLAN-ID: 100, for example, the terminal 203 of company A is allowed to communicate (communication indicated by a dotted arrow in FIG. 17) for sending an arbitration request to the arbitration server 210, but other communications are permitted. Not. On the other hand, after the controller 202 of company B executes the network setting of S1405 (at the time of FIG. 16B), the terminal 203 of company A is set to VLAN-ID: 10. In this case, for example, the plasma display panel of company B is also set to VLAN-ID: 10, so that the terminal 203 of company A can connect to the plasma display panel of company B and display data ( Communication indicated by solid arrows in FIG. On the other hand, for example, since the file server is set to a different VLAN-ID: 20, the terminal 203 of company A cannot connect to the file server. The controller 202 of company B may execute the network setting as described above, for example, by setting the VLAN of the switch.

  FIG. 18 is an operation flow illustrating a process executed by the control unit 600 of the terminal 203 of company A in the connection authorization process according to the embodiment. The operation flow of FIG. 18 is implemented by, for example, reading and executing the program 620 stored in the storage unit 610 by the control unit 600 of the terminal 203 of company A. In one embodiment, the operation flow in FIG. 18 starts when a user inputs an arbitration request transmission instruction to the control unit 600 of the company A terminal 203.

  In step S <b> 1801, the control unit 600 of the company A terminal 203 transmits an arbitration request to which the company A certificate is added. The control unit 600 of the terminal 203 of the company A connects to the access point of the company B using, for example, the SSID assigned to transmit the request for arbitration to the arbitration server 210 and transmits the arbitration request. In step S <b> 1802, the control unit 600 of the company A terminal 203 determines whether a response to the arbitration request is received from, for example, the company B controller 202. When the response has not been received (NO in S1802), the control unit 600 of the terminal 203 of company A repeats the process of S1802. When the response is received (S1802 is YES), the flow proceeds to S1803. In step S1803, the control unit 600 of the company A terminal 203 determines whether authentication is successful based on the received response. For example, when a notification indicating that the authentication has failed is received from the controller 202 of company B (NO in S1803), the operation flow ends.

  On the other hand, when an access ticket is received from the controller 202 of company B (Yes in S1803), the flow proceeds to S1804. In step S1804, the control unit 600 of the terminal 203 of company A adds the received access ticket to the data transfer request and transmits the request to the controller 201 of company A. Note that the data requesting transfer may be, for example, data selected by the user at the terminal 203 of company A, such as a material used in a presentation to company B. In step S <b> 1805, the control unit 600 of the company A terminal 203 determines whether data is received from the company A controller 201 as a response to the data transfer request. When data is not received (S1805 is NO), the flow repeats the process of S1805. As exemplified in S1213, when the verification of the access ticket in S1212 fails, the controller 201 of company A ends the process without transmitting data to the terminal 203 of company A. Therefore, the processing of S1805 may be configured to end the operation flow of FIG. 18 when data cannot be received from the controller 201 of company A after being repeatedly executed for a predetermined time.

  In S1805, when data is received from the controller 201 of company A (S1805 is YES), the flow proceeds to S1806. In step S1806, the control unit 600 of the company A terminal 203 determines whether there is a connectable device in the network to which the company A terminal 203 belongs. As described above, in S1405, the company B controller 202 sets the VLAN-ID of the company A terminal 203 in accordance with the authorization level of the access ticket. Therefore, a device corresponding to the authorization level of the access ticket belongs to the VLAN-ID network set in the terminal 203 of company A. For example, if the authorization level is 1, the output device and the storage device belong to the same network. For example, if the authorization level is 2, the output device belongs to the same network. For example, if the authorization level is 3, the device of company B does not belong to the same network. If there is no connectable device in the same network in S1806 (NO in S1806), this operation flow ends. On the other hand, if there is a connectable device in the same network in S1806 (S1806 is YES), the flow proceeds to S1807.

  In step S1807, the control unit 600 of the company A terminal 203 receives, from the user, selection of a device to be used among devices belonging to the same network of the company B, for example. In step S1808, the control unit 600 of the terminal 203 of company A connects to the selected device and uses the connected device in accordance with an instruction input from the user. For example, if the selected device is a display device, the control unit 600 of the terminal 203 of company A may transmit data to the selected display device to display the data. For example, if the selected device is a storage device, the control unit 600 of the terminal 203 of company A may transmit data to the selected storage device and store the data. In addition, the terminal 203 of company A may perform encryption using the encryption key attached to the access ticket for the terminal 203 of company A in communication with the selected device. In addition, when encryption is performed, a device of company B such as a file server that receives data uses the encryption key included in the access ticket transmitted to the controller 202 of company B to use the terminal 203 of company A. Data received from may be decrypted. In S1808, when the device connected to the terminal 203 of company A is used, this operation flow ends.

  In the operation flow of FIG. 18 described above, in the process of S1801, the control unit 600 of the company A terminal 203 functions as, for example, the arbitration request unit 601. In the processing of S1802 and S1803, the control unit 600 of the terminal 203 of company A functions as the response receiving unit 602, for example. In the processing of S1804 and S1805, the control unit 600 of the company A terminal 203 functions as the data transfer request unit 603, for example. In the processing of S1806 to S1808, the control unit 600 of the company A terminal 203 functions as the external device display unit 604, for example.

  FIG. 19 is an operation flow illustrating a process executed by the control unit 500 of the controller 201 of company A in the connection authorization process according to the embodiment. The operation flow of FIG. 19 is implemented by, for example, reading and executing the program 520 stored in the storage unit 510 by the control unit 500 of the controller 201 of company A. In one embodiment, when the control unit 500 of the controller of Company A receives an access ticket from the arbitration server 210, the operation flow of FIG.

  In step S1901, the control unit 500 of the company A controller 201 determines whether or not a data transfer request with an access ticket added is received from the company A terminal 203. When the data transfer request is not received (NO in S1901), the control unit 500 of the controller 201 of company A repeats the process of S1901. On the other hand, if a data transfer request has been received (YES in S1901), the flow proceeds to S1902. In step S1902, the control unit 500 of the controller 201 of company A determines whether the ticket identification information of the access ticket received from the terminal 203 of company A matches the ticket identification information of the access ticket received from the arbitration server 210. To do. If the ticket identification information does not match (NO in S1902), the operation flow ends. On the other hand, if the ticket identification information matches (YES in S1902), the flow proceeds to S1903.

  In step S <b> 1903, the control unit 500 of the company A controller 201 determines whether to transfer data based on the access ticket authorization level received from the terminal 203 or the arbitration server 210, for example. For example, when the authorization level of the access ticket is set to the authorization level 1 or 2 in FIG. 7, it is permitted to display at least the data requested to be transferred to the person of the company B. Therefore, the data may be permitted to be transferred to the company A terminal 203 for display. On the other hand, for example, when the authorization level of the access ticket is set to the authorization level 3 in FIG. 7, the handling of the data requested to be transferred is not permitted to the person of the company B. Therefore, in S1903, the control unit 500 of the controller 201 of company A may determine that transfer is not possible if the authorization level of the access ticket is 3, for example. On the other hand, for example, if the access ticket authorization level is 1 or 2, the control unit 500 of the controller 201 of Company A may determine that the transfer is permitted. If transfer is not permitted in S1903 (NO in S1903), this operation flow ends. On the other hand, if transfer is permitted (YES in S1903), the flow proceeds to S1904. In step S <b> 1904, the control unit 500 of the company A controller 201 instructs the file server in the in-house network 101 managed by the company A controller 201 to transmit the requested data to the company A terminal 203. This operation flow ends. Upon receiving the data transfer instruction, the file server transmits the requested data to the terminal 203 of company A.

  In the operation flow of FIG. 19 described above, in the processing of S1901 to S1903, the control unit 500 of the controller 201 of company A functions as, for example, the access ticket verification unit 501. In the processing of S1904, the control unit 500 of the controller 201 of company A functions as the data transfer instruction unit 502, for example.

  As illustrated above, according to the embodiment, it is possible to improve security when a user belonging to a certain organization connects a terminal to a network managed by another organization. For example, when the user of the company A terminal 203 visits company B and tries to give a presentation, in the connection authorization process according to the embodiment, the arbitration server 210 determines that the authorization policy of company A and the authorization policy of company B are Mediated. Then, the authorization level set in a range satisfying the authorization policies of both companies is notified from the arbitration server 210 to the controller 202 of the company B. The controller 202 of company B executes network settings according to the notified authorization level, and connects the terminal 203 of company A to the in-house network 102 of company B within a range that satisfies the authorization level. Therefore, for example, if the network administrator of company A feels uneasy about the security of the network of company B, the authorization level: 3 is set as the authorization policy for company B of company A. In this way, it is possible to control the terminal 203 of the company not to be connected to the company B network. Alternatively, for example, when the data of company A should not be stored in the storage device of company B, an authorization level: 2 is set as an authorization policy for company B of company A. In this way, for example, when the terminal 203 of company A cannot connect to the storage device or the like even when it is connected to the in-house network 102 of company B, Data does not leak from the terminal 203. Therefore, for example, a remote network administrator (for example, Company A) who connects his / her terminal to another company's network can limit the network to which his / her terminal is connected to a secure network that satisfies his / her authorization level. The handling of data after connection can also be managed according to the authorization level.

  In addition, according to the embodiment, for example, when an arbitration request is transmitted, a terminal of another company is connected to an external network set so that anyone can connect within the company. Then, the network setting is changed according to the authorization level of the access ticket received from the arbitration server 210, and the terminal of another company is connected to the in-house network according to the authorization level. Thus, for example, a local (for example, Company B) network administrator who accepts another company's terminal within the company's internal network uses an ID and password used for authentication to connect the other company's terminal 203 to the company's network. Etc. need not be managed. Therefore, for example, it is possible to reduce the man-hours for obtaining and managing information of all visitors who wish to connect to the company network.

  Furthermore, for users who wish to accept the terminal to the other company's network, for example, it is possible to reduce the trouble of memorizing the ID and password when connecting to the other company's network, or to the other company's own ID and password. This is useful because you do not need to pass information. Furthermore, when the terminal can be connected to a network of another company, the connection destination is a connection destination that satisfies the company's authorization policy, so that the work can be executed with peace of mind.

  In the example of FIG. 11, the access ticket includes an expiration date. In one embodiment, for example, when a data transfer request attached with an access ticket whose expiration date has passed is received from the company A terminal 203 in the above-described step S1212, the company A controller 201 determines that S1213 is NO. May be. For example, when the controller 202 of company B allocates a network according to the authorization level to the terminal 203 in step S1209, a process for restoring the network settings after the expiration date has passed may be executed. . In this case, even if the terminal 203 of company A tries to connect to the display device of company B after the expiration date has passed, it cannot be connected because the network setting of the terminal 203 has been returned to the state before the processing in step S1209. .

Further, in the above-described embodiment, the explanation was given with company A as the remote side and company B as the local side. However, the embodiment is not limited to this. For example, the controller 202 of company B may function as a remote side, and the controller 201 of company A may function as a local side. That is, for example, the controller 201 of the company A and the controller 202 of the company B may include both the functional units illustrated in FIGS. 4 and 5 and information.
FIG. 20 is a diagram illustrating a hardware configuration of a computer 2000 for realizing the arbitration server 210, the remote controller 201, the local controller 202, and the terminal 203 according to the embodiment. 20 includes, for example, a processor 2001, a memory 2002, a storage device 2003, a reading device 2004, a communication interface 2006, and an input / output interface 2007. Note that the processor 2001, the memory 2002, the storage device 2003, the reading device 2004, the communication interface 2006, and the input / output interface 2007 are connected to each other via a bus 2008, for example.

  The processor 2001 provides a part or all of the functions of the functional units described above by executing a program describing the procedure of the operational flow described above using the memory 2002, for example.

  For example, the control unit 300 of the arbitration server 210 is a processor 2001, and the storage unit 310 includes, for example, a memory 2002, a storage device 2003, and a removable storage medium 2005. For example, the processor 2001 of the arbitration server 210 functions as the reception unit 301, the authentication unit 302, the arbitration unit 303, and the notification unit 304 by reading and executing the program 320 stored in the storage device 2003. In the storage device 2003 of the arbitration server 210, for example, a program 320, authorization policy information 800, and arbitrated person management information 900 are stored.

  Further, for example, the control unit 400 of the local controller 202 (for example, company B) is a processor 2001, and the storage unit 410 includes, for example, a memory 2002, a storage device 2003, and a removable storage medium 2005. Yes. The processor 2001 of the controller 202 reads out and executes the program 420 stored in the storage device 2003, for example, to thereby execute an arbitration request transfer unit 401, an authentication result notification unit 402, an access ticket transfer unit 403, and a network setting unit 404. Function as. The storage device 2003 of the controller 202 stores, for example, a program 420, a certificate 450 that certifies the company, and connection network designation information 1500.

  For example, the control unit 500 of the remote-side controller 201 (for example, company A) is a processor 2001, and the storage unit 510 includes, for example, a memory 2002, a storage device 2003, and a removable storage medium 2005. For example, the processor 2001 of the controller 201 functions as the access ticket verification unit 501 and the data transfer instruction unit 502 by reading and executing the program 520 stored in the storage device 2003. For example, a program 520 is stored in the storage device 2003 of the controller 201.

  For example, the control unit 600 of the remote terminal 203 is a processor 2001, and the storage unit 610 includes, for example, a memory 2002, a storage device 2003, and a removable storage medium 2005. The processor 2001 of the terminal 203 reads out and executes the program 620 stored in the storage device 2003, for example, as an arbitration request unit 601, a response reception unit 602, a data transfer request unit 603, and an external device display unit 604. Function. For example, the storage device 2003 of the terminal 203 stores a program 620 and a certificate 650 for proving the company.

  The memory 2002 is a semiconductor memory, for example, and includes a RAM area and a ROM area. Note that RAM is an abbreviation for Random Access Memory. ROM is an abbreviation for Read Only Memory. The storage device 2003 is, for example, a semiconductor memory such as a hard disk or a flash memory, or an external storage device.

  The reading device 2004 accesses the removable storage medium 2005 in accordance with instructions from the processor 2001. The detachable storage medium 2005 includes, for example, a semiconductor device (USB memory or the like), a medium to / from which information is input / output by magnetic action (magnetic disk or the like), a medium to / from which information is input / output by optical action (CD-ROM, For example, a DVD). USB is an abbreviation for Universal Serial Bus. CD is an abbreviation for Compact Disc. DVD is an abbreviation for Digital Versatile Disk.

  The communication interface 2006 transmits and receives data via the network 2020 in accordance with instructions from the processor 2001. The input / output interface 2007 corresponds to, for example, an interface between the input device and the output device. The input device may be a device such as a keyboard or a mouse that receives an instruction from the user, for example. The output device may be a display device such as a display and an audio device such as a speaker.

Each program according to the embodiment may be provided to the arbitration server 210, the controller 201, the controller 202, and the terminal 203 in the following form, for example.
(1) Installed in advance in the storage device 2003.
(2) Provided by the removable storage medium 2005.
(3) Provided from a server 2030 such as a program server.

  In the above, several embodiments have been described. However, the embodiments are not limited to the above-described embodiments, and should be understood as including various modifications and alternatives of the above-described embodiments. For example, it will be understood that various embodiments can be embodied by modifying the components without departing from the spirit and scope thereof. It will be understood that various embodiments can be made by appropriately combining a plurality of components disclosed in the above-described embodiments. Further, various embodiments may be implemented by deleting or replacing some components from all the components shown in the embodiments, or adding some components to the components shown in the embodiments. Those skilled in the art will appreciate that this can be done.

200 System 201 Remote Controller 202 Local Controller 203 Terminal 205 WAN
210 arbitration server 300 control unit 301 reception unit 302 authentication unit 303 arbitration unit 304 notification unit 310 storage unit 2000 computer 2001 processor 2002 memory 2003 storage device 2004 reading device 2005 removable storage medium 2006 communication interface 2007 input / output interface 2008 bus 2020 network 2030 server

Claims (8)

A receiving unit for receiving a request for permission to connect a terminal belonging to the first organization to a network belonging to the second organization;
A controller of the first organization that performs control to transfer data to the terminal according to the notified access ticket; and a controller of the second organization that performs control to connect the terminal to the network according to the notified access ticket; A notification unit for notifying an access ticket based on the authorization policy of the first organization and the authorization policy of the second organization;
including,
An information processing apparatus characterized by that. The information processing apparatus compares the level of the authorization policy of the first organization with respect to the second organization with the level of the authorization policy of the second organization with respect to the first organization, and arbitrates to a stricter level. And further includes an arbitration unit
The notification unit notifies the access ticket including the arbitrated level;
The information processing apparatus according to claim 1. The terminal belonging to the first organization receives the access ticket, adds the access ticket to the data transfer request, and transmits it to the controller of the first organization,
Whether the controller of the first organization permits the transfer of the data based on the arbitrated level included in the access ticket when the transfer request of the data to which the access ticket is added is received The information processing apparatus according to claim 2, wherein it is determined whether or not. The level of the authorization policy is
The first level that allows the data of the own organization to be displayed and stored on the device of the other organization, and allows the terminal of the other organization to connect to the output device and the storage device in the network of the own organization ,
The second level that allows the display of the data of the own organization on the devices of the other organization, and allows the terminals of the other organization to connect to the output device in the network of the own organization, and the data of the own organization A third level that prohibits use by other organizations and prohibits terminals of other organizations from connecting to devices in the network of the own organization;
Is set to one of the levels
The third level is more severe than the second level;
The second level is a stricter level than the first level.
The information processing apparatus according to claim 2, wherein the information processing apparatus is an information processing apparatus.   The controller of the second organization, when the arbitrated level included in the access ticket notified from the information processing apparatus is the first level, the terminal belonging to the first organization, Of the networks managed by the controller of the second organization, it belongs to the network to which the output device and the storage device belong, and the network to which the output device and the storage device belong and the controller of the second organization manage The information processing apparatus according to claim 4, wherein routing to other networks is prohibited.   The controller of the second organization, when the arbitrated level included in the access ticket notified from the information processing apparatus is the second level, the terminal belonging to the first organization, Of the networks managed by the controller of the second organization, between the network to which the output device belongs and the network to which the output device belongs and the other network managed by the controller of the second organization 6. The information processing apparatus according to claim 4, wherein the routing of the information processing apparatus is prohibited. Receiving a request for permission to connect a terminal belonging to the first organization to a network belonging to the second organization;
A controller of the first organization that performs control to transfer data to the terminal according to the notified access ticket; and a controller of the second organization that performs control to connect the terminal to the network according to the notified access ticket; An access ticket based on the authorization policy of the first organization and the authorization policy of the second organization,
A program that causes a computer to execute processing. Receiving a request for permission to connect a terminal belonging to the first organization to a network belonging to the second organization;
A controller of the first organization that performs control to transfer data to the terminal according to the notified access ticket; and a controller of the second organization that performs control to connect the terminal to the network according to the notified access ticket; Notifying an access ticket based on the authorization policy of the first organization and the authorization policy of the second organization;
A connection control method executed by a computer.

Images