JP6306992B2 - Account management method, account management server, and account management system - Google Patents

Description

  The present invention relates to an account management method, an account management server, and an account management system. For example, the present invention relates to account management for using a cloud service.

  In recent years, companies have begun to realize an environment where they can work anytime, anywhere to solve management issues such as strengthening sales capabilities and ensuring work-life balance.

  In particular, the use of SaaS / IaaS that is inexpensive and easy to access from outside the company is increasing, but many users are worried about security when using SaaS / IaaS for business. Therefore, as one of the security measures, a method of collectively managing SaaS / IaaS authentication IDs and performing access control according to the situation can be considered. In connection with this, ID linked products that are subject to access control by IP address, date, etc. are on the market.

  For example, Patent Document 1 discloses a federation-type cloud service environment that transparently provides a plurality of incompatible cloud services that are interoperable, and a federation method for a cloud client that seeks a cloud service from the cloud. Have been described. According to Patent Document 1, it is possible to reduce the trouble and complexity of the user when accessing a plurality of cloud services.

JP 2011-129117 A

  However, in the conventional technology such as Patent Document 1, it is possible to access the cloud service from any location on the network, which may lead to leakage of confidential information due to the service user's intention or negligence. There is sex. On the other hand, if security is too important, there is a risk that the system becomes inconvenient for the user. Therefore, a mechanism that can ensure security without sacrificing user convenience as much as possible is desired.

  The present invention has been made in view of such circumstances, and provides a technique that reduces the risk of information leakage, ensures security in the use of a cloud service, and considers user convenience.

  In order to solve the above-described problem, in the present invention, processing is performed in which the authentication server determines an account for logging in to the cloud service in accordance with the location information transmitted from the client terminal. Specifically, the client terminal transmits a user ID and location information of the client terminal to the authentication server. Then, the authentication server determines an account for logging in to the cloud service in accordance with the user ID, location information, and policy information that defines the level of security by the location information.

  Further features related to the present invention will become apparent from the description of the present specification and the accompanying drawings. The embodiments of the present invention can be achieved and realized by elements and combinations of various elements and the following detailed description and appended claims.

  It should be understood that the description herein is merely exemplary and is not intended to limit the scope of the claims or the application of the invention in any way.

  According to the present invention, since the service use authority can be controlled based on the physical location of the terminal that uses the service and the location on the network, the risk of information leakage is reduced and the security in using the cloud service is ensured. be able to. In addition, since the user can use the cloud service according to the security level, it can contribute to the convenience of the user.

It is a figure which shows schematic structure of the account management system 1000 by embodiment of this invention. It is a block diagram which shows the function structure of the authentication server 100 by embodiment of this invention. It is a block diagram which shows the function structure of the client terminal 200 by embodiment of this invention. It is a figure which shows the structural example of the policy 152. FIG. It is a figure which shows the structural example of the service account management table 151. FIG. It is a figure which shows the process outline | summary in which the client terminal 200 authenticates a user to the authentication server 100. 4 is a flowchart for explaining details of processing in which the client terminal 200 logs in to the cloud service 300.

  Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings. In the accompanying drawings, functionally identical elements may be denoted by the same numbers. The attached drawings show specific embodiments and implementation examples based on the principle of the present invention, but these are for understanding the present invention and are not intended to limit the present invention. Not used.

  This embodiment has been described in sufficient detail for those skilled in the art to practice the present invention, but other implementations and configurations are possible without departing from the scope and spirit of the technical idea of the present invention. It is necessary to understand that the configuration and structure can be changed and various elements can be replaced. Therefore, the following description should not be interpreted as being limited to this.

  Furthermore, as will be described later, the embodiment of the present invention may be implemented by software running on a general-purpose computer, or may be implemented by dedicated hardware or a combination of software and hardware.

  In the following description, each information of the present invention will be described in a “table” format. However, the information does not necessarily have to be expressed in a data structure by a table, such as a data structure such as a list, a DB, a queue, or the like. It may be expressed as Therefore, “table”, “list”, “DB”, “queue”, etc. may be simply referred to as “information” to indicate that they do not depend on the data structure.

  In addition, when explaining the contents of each information, the expressions “identification information”, “identifier”, “name”, “name”, “ID” can be used, and these can be replaced with each other. It is.

  In the following description, each process in the embodiment of the present invention will be described with “each functional unit (for example, user authentication unit)” as the subject (operation subject), but each functional unit is configured by a program, and the program is executed by the processor. Therefore, the processing may be described using the processor as the subject, since the processing determined by using the memory and the communication port (communication control device) is performed. Further, the processing disclosed with the program as the subject may be processing performed by a computer such as an authentication server or an information processing apparatus. Part or all of the program may be realized by dedicated hardware, or may be modularized. Various programs may be installed in each computer by a program distribution server or a storage medium.

<Configuration of account management system>
FIG. 1 is a diagram showing a schematic configuration of an account management system 1000 according to the embodiment of the present invention. The account management system 1000 includes an authentication server (also referred to as “management server”, “account management device”, and “account management server”) 100, a client terminal 200, and a cloud service 300. These are connected via a network 400 such as the Internet.

  The authentication server 100 manages the user ID of the user who uses the client terminal 200. Further, as will be described later with reference to FIG. 2, the authentication server 100 manages a service account for using the cloud service 300.

  The client terminal 200 uses the cloud service 300. In order to log in to the cloud service 300, the client terminal 200 needs to be authenticated by the authentication server 100 using a user ID. When the authentication of the authentication server 100 is successful, the authentication server 100 performs service account login processing to the cloud service 300. Thereafter, the client terminal 200 can use the cloud service 300 after the service account login process is successful. Since the authentication server 100 mediates communication between the client terminal 200 and the cloud service 300, the user of the client terminal 200 knows only the authentication ID (user ID) to the authentication server 100 and does not know the account of the cloud service 300 itself. It is assumed that it is in a state. The client terminal 200 is a computer such as a personal computer 201 or a mobile terminal 202, for example. Hereinafter, the client terminal 200 is collectively referred to.

  The cloud service 300 is a service such as a cloud storage in which the client terminal 200 reads and writes data via the network 400, for example. The provider providing the cloud service 300 is not necessarily the same as the provider to which the authentication server 100 (and its constituent elements) and the client terminal 200 belong.

<Configuration of authentication server>
FIG. 2 is a block diagram showing a detailed functional configuration of the authentication server 100 according to the embodiment of the present invention. The authentication server 100 manages a service account for using the cloud service 300, and performs a service account login process to the cloud service 300 according to authentication for each user.

  The authentication server 100 includes a CPU (processor) 101 that is a calculation unit that executes various programs, a memory 102 that stores various programs, and an input / output device (as an input device) that inputs instructions and outputs calculation results. A keyboard, a mouse, a microphone, etc., such as a display, a printer, a speaker, etc.) 103, a communication device 104 for communicating with the client terminal 200 and the cloud service 300, and a storage device 150 for storing various data. doing.

  The memory 102 is a client based on the external service cooperation unit 110 as a program, the policy setting unit 120 that manages the policy shown in FIG. 4 to be described later, and the location information (coordinates and IP address) acquired from the client terminal 200. A terminal position determination unit 130 that determines the position (policy name and security level) of the terminal 200 and a terminal position information reception unit 140 that receives terminal position information from the client terminal 200 are included.

  The external service cooperation unit 110 further authenticates the user ID transmitted from the client terminal 200, and realizes access to the cloud service 300 when the user authentication by the user authentication unit 111 is completed. A login account determination unit 112 that determines which account is to use the cloud service, and a service login processing unit 113 that processes login to the cloud service 300. The functional units other than the storage device 150 will be described later in FIG.

  The storage device 150 is a database that manages a service account for the client terminal 200 to use the cloud service 300. In the storage device 150, only authentication information (ID and password) for logging in to the cloud service 300 with a service account is managed. It is assumed that other service account information, for example, information such as service use authority is managed by the cloud service 300.

  Further, the storage device 150 stores a plurality of records in a service account management table 151 provided for each user, with a set of cloud service name and service account as one record unit.

  The storage device 150 can be configured using a hard disk device or the like. Other functional units can be configured using hardware such as a circuit device that realizes these functions. As shown in FIG. 2, a program in which each function is installed is a CPU (Central Processing Unit) or the like. It can also be realized by being executed by the arithmetic unit. When realized by a program, the program corresponding to these functional units is a computer-readable storage medium (for example, a recording device such as a memory, a hard disk, an SSD (Solid State Drive), an IC card, an SD card, a DVD, or the like. Medium).

<Configuration of client terminal>
FIG. 3 is a block diagram illustrating a detailed functional configuration of the client terminal 200 according to the embodiment of the present invention. In FIG. 3, each unit other than the storage device 240 is realized as a function on software, but may be configured as hardware.

  The client terminal 200 is a CPU (processor) 201 that is a calculation unit that executes various programs, a memory 202 that stores various programs, a storage device 240 that stores various data, and inputs instructions and outputs calculation results. Input / output devices (keyboard, mouse, microphone, etc. as input devices, display, printer, speakers, etc. as output devices) 203, and a communication device 204 for communicating with the authentication server 100.

  The memory 202 stores a terminal location information change detection unit 210, a terminal location information notification unit 220, and a network connection unit 230 as programs.

  The storage device 240 stores terminal position change threshold information 241, terminal identification information 242, and authentication server address information 243.

  The terminal position information change detection unit 210 is a device or a program that executes processing for detecting a change in the position of the client terminal 200. In this specification, this “position” means the position of the client terminal 200 on the network, the physical position, or a combination thereof. For example, the position on the network by the IP address assigned to the network connection unit 230, the physical position of the client terminal 200 on the earth detected by the GPS (Grobal Positioning System) device included in the client terminal 200, and the client terminal 200 connected This corresponds to a network and physical location based on information such as an SSID (Service Set ID) and MAC address of an access point of a wireless LAN (Local Area Network), or a combination of these locations. The terminal position information change detection unit 210 refers to the terminal position change threshold information 241 stored in the storage device 240 and detects a change in the position of the terminal itself. In other words, the terminal position information change detection unit 210 compares the position on the network based on the IP address and the physical position based on the GPS with the terminal position change threshold information 241, and any position is described in the terminal position change threshold information 241. It is detected that the position has changed when the specified condition is no longer met. The terminal position change threshold information 241 will be described later.

  The terminal location information notification unit 220 is a device or program that executes a process of notifying the authentication server 100 of the terminal location information detected by the terminal location information change detection unit 210. When the change in the terminal position is notified to the authentication server 100, the terminal position determination unit 130 of the authentication server 100 determines the security level with reference to the policy (FIG. 4) 152. If there is a change in the security level, the login account determination unit 112 refers to the service account management table (FIG. 5) 151, acquires the service account ID of the user corresponding to the corresponding security level, and Seamlessly switch between accounts used by users. If no account is set, the login account determination unit 112 automatically logs out the client terminal 200 so that the cloud service 300 cannot be used. Here, the client terminal 200 is not notified that the account has been switched. Thereby, since the process in the client terminal 200 is not temporarily interrupted, the user can use the terminal without being aware of the account switching process. However, the user may be notified of account switching. In this case, the account switching is notified on the UI screen, but the account switching is completed after waiting for the approval of the switching by the user (for example, the approval when the OK button is pressed or touched).

  The network connection unit 230 is a device that connects the client terminal 200 and the network 400. For example, a wired LAN device, a wireless LAN device, a 3G (third generation mobile communication system) wireless device, or a 4G (fourth generation mobile communication system). This corresponds to a wireless device.

  The storage device 240 is used for storing information necessary for realizing communication control according to the present embodiment. For example, terminal position change threshold information 241, terminal identification information 242, and authentication server address information 243 are stored. The storage device 240 may store arbitrary information (not shown).

  The terminal position change threshold information 241 is information used by the terminal position information change detection unit 210 to determine whether or not a change has occurred in the position of the client terminal 200 (own terminal). The terminal position change threshold information 241 includes, for example, (1) a latitude / longitude range in which a company building is included, (2) an IP address range assigned to the network connection unit 230 of the client terminal 200 in the in-house network, (3) Both of them are stored. For example, in the case where the terminal position change threshold information 241 stores a latitude / longitude range in which a building of an organization to which a user such as a company belongs is stored, a GPS observation value included in the client terminal 200 is stored. When out of the latitude / longitude range, the terminal position information change detection unit 210 detects the movement of the client terminal 200 (own terminal) from the inside of the company to the outside.

  The terminal identification information 242 is information that uniquely identifies the client terminal 200. For example, the terminal unique number of the client terminal 200, a combination of a user name and a password, a MAC address of the network connection unit 230 of the client terminal 200, and a combination of these pieces of information Etc.

  The authentication server address information 243 is given by the IP address or domain name of the authentication server 100.

<Policies>
FIG. 4 is a diagram illustrating a configuration example of the policy 152 stored in the storage device 150 according to the embodiment of the present invention.

  The policy 152 stores a plurality of policy information including a policy name 501, a location range 502 on the network, a physical location range 503, and a security level 504. In FIG. 4, three pieces of policy information 505 to 507 are shown as an example.

  According to the policy information 505, the IP address assigned to the network connection unit 230 is included in the location range 502 “192.168.0.0/24” on the network, and the physical location of the client terminal 200 by GPS Is included in the physical position range 503 “latitude / longitude range in which a building is included”, the terminal position determination unit 130 recognizes the network as an “in-house network”. Further, when the terminal position determination unit 130 recognizes “in-house network”, the terminal position determination unit 130 determines the security level 504 to be “low”. The security level 504 will be described later with reference to FIG. As a situation corresponding to the policy information 505, for example, there is a case where the client terminal 200 is used in the company and the client terminal 200 is connected to the Wi-Fi access point in the company.

  Further, according to the policy information 506, the IP address assigned to the network connection unit 230 is included in the location range 502 “10.0.0.0/24” on the network, and the physical location of the client terminal 200 by GPS If there is an arbitrary position, the terminal position determination unit 130 recognizes the network as a “permitted network”. If it is recognized as “permitted network”, the terminal position determination unit 130 determines that the security level 504 is “medium”. As a situation corresponding to the policy information 506, for example, there is a case where the client terminal 200 is used outside the company but is connected to a network permitted in advance.

  According to the policy information 507, the terminal location determination unit 130 recognizes the network as an “external network” regardless of the location on the network by the IP address assigned to the network connection unit 230 and the physical location by GPS. If it is recognized as “external network”, the terminal location determination unit 130 determines that the security level 504 of the service account management table 151 is “high”. As a situation corresponding to the policy information 507, there is a case where it is connected to an in-house network and an arbitrary network not applicable to the in-house network.

<Service account management table>
FIG. 5 is a diagram showing a configuration example of the service account management table 151 stored in the storage device 150 according to the embodiment of the present invention.

  The service account management table 151 stores a plurality of account information composed of a cloud service name 601, a user ID 602, a security level 603, and a service account ID 604. In FIG. 5, three pieces of account information 605 to 607 are shown as an example.

  The account information 605 to 607 is information that is referred to in order to determine an account for logging in to the service when the user with the user ID 602 “user_A @ xx” uses the cloud service name 601 “Service1”.

  The account information 605 is information that is referred to when the security level 504 of the policy 152 is determined to be “low” with respect to the security level 603, and “account1_1 @ yy” is selected for the service account 604 to log in to the service. .

  The account information 606 is information that is referred to when the security level 504 of the policy 152 is determined to be “medium” with respect to the security level 603, and “account1_2 @ yy” is selected for the service account 604 to log in to the service. .

  The account information 607 is information that is referred to when the security level 504 of the policy 152 is determined to be “high” with respect to the security level 603, and the corresponding service account is not registered in the account 604 for logging in to the service. Therefore, it is determined that the service login is not performed.

<Overview of Cloud Service Login Process>
FIG. 6 is a diagram for explaining an outline of processing until the client terminal 200 performs authentication processing on the authentication server 100 and logs in to the cloud service 300. Here, it is assumed that the cloud service 300 is used from an in-house network.

  A user having the client terminal 200 transmits a user ID “user_A @ xx”, a password “user_A_PW”, a service name “Service1” to be used, and location information to the authentication server 100 to perform user authentication.

  If the user authentication is successful, the authentication server 100 acquires a security level from the policy 152 based on the position information transmitted from the client terminal 200. Further, the authentication server 100 determines a service account for logging in to the cloud service 300 based on the user ID, the service name, and the security level 504 acquired from the policy 152 transmitted from the client terminal 200 by using the service account management table 151. Then, the authentication server 100 logs in to the cloud service “Service1” using the ID / password of the determined service account (the password is not necessarily required. Also, the user usually does not know the password).

  When the login to the cloud service 300 is successful, the authentication server 100 transmits information (for example, URL) for accessing the cloud service 300 to the client terminal 200. When receiving the information for accessing the cloud service 300, the client terminal 200 can directly communicate with the cloud service 300 and receive a desired service.

<Details of Cloud Service Login Process>
FIG. 7 is a flowchart for explaining details of processing until the client terminal 200 authenticates with the authentication server 100 and logs in to the cloud service 300. Hereinafter, each step of FIG. 7 will be described.

(I) Step S701
The client terminal 200 transmits the authentication information (user ID and authentication password) input by the user and the information of the cloud service name to be used together with the location information on the network of the client terminal 200 to the authentication server 100.

(Ii) Steps S702 to S703
The user authentication unit 111 of the authentication server 100 performs user authentication using the authentication information received from the client terminal 200 (S702). When the authentication is rejected, a response indicating that is transmitted to the client terminal 200, the client terminal 200 displays a dialog indicating that the user authentication has failed, and the present flowchart ends (S703). If authentication is permitted, the process proceeds to step S704.

(Iii) Step S704
The terminal location determination unit 130 determines the security level based on the location information on the network received from the client terminal 200 and the policy 152.

(Iv) Step S705
The login account determination unit 112 of the authentication server 100 obtains the service login account from the service account management table 151 of the storage device 150 based on the authentication information received from the client terminal 200, the cloud service name, and the security level determined in step S704. decide.

(V) Steps S706-707
If there is a service login account that matches the conditions in the service account management table 151, the process proceeds to step S708. If there is no login account for the service that matches the conditions, the login account determination unit 112 transmits to the client terminal 200 that the login to the cloud service 300 has failed. The client terminal 200 displays a dialog indicating that the login has failed, and the flowchart ends (S707).

(Vi) Step S708
The service login processing unit 113 of the authentication server 100 executes login processing to the cloud service 300 using the login account determined in step S705.

<Summary of the present invention>
(I) As described above, the authentication server 100 according to the embodiment of the present invention associates and manages user authentication information and a plurality of account information of the cloud service 300. Further, in response to a request from the client terminal 200, a service account corresponding to each user's authentication information and the location information of the client terminal 200 is determined, and a login process to the cloud service 300 is performed. This makes it possible to control the account by logging in with an account with full access authority in the in-house network and logging in with an account with only upload authority in the external network, thereby improving security.

  In the present invention, it is possible to link a plurality of accounts having different service use authorities to one authentication ID. Further, it is possible to control the service account to log in based on the physical location information of the PC or mobile terminal and the location information on the network in authentication when using the service. For example, the service includes an account A having download authority and an account B having no download authority. When authentication is performed with an authentication server from an in-house PC, the service is logged in with account A. On the other hand, when authentication is performed from the home by the authentication server, the service is logged in with the account B. In addition, when switching to the external network after performing authentication in the in-house network, authentication is performed again at the network switching timing, and the service is logged in again with the account B. As a result, confidential files uploaded inside the company cannot be downloaded outside the company, thereby preventing leakage of confidential information and improving the security of cloud service usage.

(Ii) The present invention can also be realized by software program codes that implement the functions of the embodiments. In this case, a storage medium in which the program code is recorded is provided to the system or apparatus, and the computer (or CPU or MPU) of the system or apparatus reads the program code stored in the storage medium. In this case, the program code itself read from the storage medium realizes the functions of the above-described embodiments, and the program code itself and the storage medium storing the program code constitute the present invention. As a storage medium for supplying such program code, for example, a flexible disk, CD-ROM, DVD-ROM, hard disk, optical disk, magneto-optical disk, CD-R, magnetic tape, nonvolatile memory card, ROM Etc. are used.

  Also, based on the instruction of the program code, an OS (operating system) running on the computer performs part or all of the actual processing, and the functions of the above-described embodiments are realized by the processing. May be. Further, after the program code read from the storage medium is written in the memory on the computer, the computer CPU or the like performs part or all of the actual processing based on the instruction of the program code. Thus, the functions of the above-described embodiments may be realized.

  Further, by distributing the program code of the software that realizes the functions of the embodiment via a network, it is stored in a storage means such as a hard disk or memory of a system or apparatus, or a storage medium such as a CD-RW or CD-R And the computer (or CPU or MPU) of the system or apparatus may read and execute the program code stored in the storage means or the storage medium when used.

  Finally, it should be understood that the processes and techniques described herein are not inherently related to any particular apparatus, and can be implemented by any suitable combination of components. In addition, various types of devices for general purpose can be used in accordance with the teachings described herein. It may prove useful to build a dedicated device to perform the method steps described herein. Various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiments. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, constituent elements over different embodiments may be appropriately combined. Although the present invention has been described with reference to specific examples, these are in all respects illustrative rather than restrictive. Those skilled in the art will appreciate that there are numerous combinations of hardware, software, and firmware that are suitable for implementing the present invention. For example, the described software can be implemented in a wide range of programs or script languages such as assembler, C / C ++, perl, shell, PHP, Java (registered trademark).

  Furthermore, in the above-described embodiment, control lines and information lines are those that are considered necessary for explanation, and not all control lines and information lines on the product are necessarily shown. All the components may be connected to each other.

  In addition, other implementations of the invention will be apparent to those skilled in the art from consideration of the specification and embodiments of the invention disclosed herein. Various aspects and / or components of the described embodiments can be used singly or in any combination in a computerized storage system capable of managing data. The specification and specific examples are merely exemplary, and the scope and spirit of the invention are indicated in the following claims.

100: Authentication server,
DESCRIPTION OF SYMBOLS 110 ... External service cooperation part 120 ... Policy setting part 130 ... Terminal position determination part 140 ... Terminal position information receiving part 150 ... Storage device (database)
151 ... service account management table 152 ... policy 200 ... client terminal 210 ... terminal location information change detection unit 220 ... terminal location information notification unit 230 ... network connection unit 240 ... storage Device 300 ... Cloud service 400 ... Network.

Claims (9)

An account management method in which an authentication server determines an account for logging in to a cloud service according to location information transmitted from a client terminal,
The client terminal transmits a user ID and location information of the client terminal to an authentication server;
The authentication server determines an account for logging in to the cloud service in accordance with the user ID, the location information, and policy information that defines a security level according to the location information;
Seamlessly switching the account according to the policy information when detecting that the position of the client terminal has changed;
An account management method comprising: In claim 1,
The account management method, wherein the location information is location information on a network. In claim 1,
The account management method, wherein the location information is physical location information. An account management server that determines an account to log in to the cloud service according to the location information transmitted from the client terminal,
A memory for storing a program for account management;
A processor for executing account management processing;
The processor is
A process of receiving a user ID and location information of the client terminal from the client terminal when authenticating the client terminal;
Processing for determining an account for logging in to the cloud service according to the user ID and the location information, and policy information that defines a security level by the location information;
A process of seamlessly switching the account according to the policy information when detecting that the position of the client terminal has changed;
An account management server characterized by executing In claim 4,
The account management server, wherein the location information is location information on a network. In claim 4,
The account management server, wherein the location information is physical location information. An account management system in which a client terminal, an authentication server, and a cloud service are connected via a network, and the authentication server determines an account for logging in to the cloud service according to location information transmitted from the client terminal. There,
When the client terminal accesses the cloud service, the client terminal transmits a user ID of the client terminal and location information of the client terminal to the authentication server,
The authentication server receives the user ID and the location information from the client terminal, and logs in to the cloud service according to the user ID, the location information, and policy information that defines a security level by the location information. An account management system characterized in that the account is seamlessly switched according to the policy information when it is detected that the position of the client terminal has changed . In claim 7,
The account management system, wherein the location information is location information on a network. In claim 7,
The account management system, wherein the location information is physical location information.

Images