JP6718688B2 - Control level assignment data display control device, program and method - Google Patents

Description

The present invention relates to a control level giving data display control device for outputting information from a data system used for business operation of a company, a public office, a public body, etc. in a form in which confidential information is not leaked or leaked, and particularly, a personal information of a customer or Control level assignment data display control device suitable for data system used in business such as financial industry, retail/distribution business, etc., in which a large number of files containing important confidential information such as system security information are handled, and a program used therefor And method.

In general, many organizations such as corporations, public offices, and public organizations have enormous amounts of information necessary for business operations as electronic data, and a data system for using the electronic data for business operations. Is being operated.
Such a data system may be operated and operated by a computer system owned by an individual company or the like, and is called a so-called system integrator that undertakes the operation of the data system of a plurality of companies as a business. It may be managed and operated by a huge server system group owned by an information system company.

In any case, the enormous amount of data managed and operated by the data system may contain important confidential information. Here, the important confidential information includes, for example, personal information such as a name and address for identifying an individual, a bank account number, a credit card number, and a log file generated and output by the operation of the data system, Security information such as "which IP address and which port is used for listening?"
For this reason, in the operation of the data system, it is necessary to strictly protect and manage confidential information such as personal information and security information contained in the managed and operated data so as not to leak or leak to the outside.

On the other hand, when a failure or trouble occurs during the operation of the data system, log files such as application logs and infrastructure logs used in the data system are copied and output in order to respond and recover.・It is necessary to identify the cause of failure by referring to it and take measures such as removal and restoration of the failure as quickly as possible.
However, such a log file also contains confidential information such as the personal information and security information described above, and if you copy and output the log file to recover from a failure, all of the data system has The information will be output, and, of course, the confidential information contained therein will also be output to the outside.

For this reason, it is extremely important and difficult to satisfy both conflicting demands such as prompt output/reference of the log file at the time of occurrence of such a failure and protection of confidential information contained therein. ..
For such a problem, for example, by matching the NG word corresponding to the confidential information with the data such as the file to be output/referenced, the meaning of the portion that should not be shown can be defined. It is conceivable to mask a blank character string.
Further, as disclosed in Patent Document 1, for a database file having a table structure established, the presence or absence of confidential information is determined for each table, and if there is a table containing confidential information, the database file A "file editing device" has been proposed in which the copy data can be browsed after deleting all the data in the table containing the confidential information from the copy data.

JP2012-014736A

However, in the method of matching and masking the NG word corresponding to the confidential information, it is uncertain whether the NG word can reliably mask the confidential information. For example, a personal information that does not match the NG word such as a rare name. However, there is a possibility that such information may be leaked, and there is a problem that it can only handle files of a specific format.
For this reason, when copying/transferring log files for troubleshooting, it is not possible to confirm whether or not masking has been performed correctly for files that may contain confidential information. I had no choice.

Also, the technique described in Patent Document 1 can only deal with a database file having a table structure established, and cannot deal with, for example, an irregular application log file. Therefore, as in the case of the above-mentioned NG word, there is a problem that only a file of a specific format can be supported.
Also, regarding the database file with the established table structure, if confidential information is included, all information contained in the table will be deleted for each table, so data other than confidential information will be deleted uniformly. There was also a problem that it was impossible to refer to it.

The log file output from the data system contains a lot of information other than confidential information, and if these information can be referenced, it is often the case that problems and the like can be resolved and restored.
In addition, there may be cases where confidential information has a high confidentiality level to a low confidentiality level, and it is not necessary to uniformly delete it as confidential information or to make all data inaccessible in units of tables containing confidential information. ..
For example, even confidential information such as security information such as IP address and port number may be output/referenced after approval by the administrator, and it may be useful during emergency recovery. There can be data. Therefore, it may be possible to gradually cope with the failure recovery by making it possible to sequentially refer to data that does not require confidentiality protection or data with a low confidentiality level.

However, in the technique described in Patent Document 1, if confidential information exists, all confidential information and other information are uniformly deleted in units of tables including the confidential information. It was not possible to carry out a quicker recovery work utilizing the software, nor to take a flexible response according to the confidential level.
In a failed data system, it is extremely important to recover as quickly as one second. For example, the larger the system, such as the ATM system of banks, the market trading system of securities companies, the product distribution system of convenience stores, etc., the more difficult it is for restoration work to become inoperable due to the occurrence of a failure. The longer the time becomes, the greater the impact on business providers and users.

Therefore, in the case of system restoration, it is effective and important to be able to refer to all information as soon as possible as long as the information does not include confidential information. However, if flexible reference is possible according to the confidentiality level, it will be useful for early disaster recovery.
However, in the technique of Patent Document 1, if a table containing confidential information exists in the target file, all the data cannot be uniformly referenced in units of the table, so data other than confidential information is valid. It was neither possible to utilize it, nor to perform stepwise data reference depending on the confidentiality level.

Further, in the technique of Patent Document 1, after transferring the target database file to an external terminal such as an operator while keeping the confidential information, the access restriction is applied to delete the table containing the confidential information. After that, the method of releasing the access restriction is adopted.
For this reason, there is a security problem because there is a period during which confidential information exists in a low confidential level space such as a terminal of an operator.

The present invention has been proposed in order to solve the problems of the conventional techniques as described above, and when the file to be browsed contains confidential information, the file to be browsed is stepwise according to the security level. A file containing particularly important confidential information that can be browsed and referenced as quickly as possible when a failure occurs while making it possible to securely prevent the confidential information from being leaked out. The present invention aims to provide a control level assignment data display control device suitable for dealing with failures in data systems used in businesses such as the financial industry and retail/distribution industries where a large amount of data is handled, and a program and method used therefor. ..

In order to achieve the above object, the control level assignment data display control device of the present invention is an information processing device that acquires a predetermined browsing target file from a file acquisition target device, performs a predetermined processing process, and outputs the file to the browsing device. Information indicating a browsing target file that can be acquired from the file acquisition target device, a storage unit that stores browsing target file definition information that describes predetermined control level information regarding the browsing target file, and the browsing target file definition information And a browsing target file control means for performing a predetermined processing process according to a control level on the browsing target file acquired from the file acquisition target device and outputting the processed browsing target file to the browsing device. And the browsing target file control means outputs the browsing target file to the browsing device without performing the modification process when the browsing target file does not include confidential data. to contain sensitive data in a predetermined column unit to a file, it extracts the data portion not contain sensitive data in columns, subjected to processing for disabling viewing other data portions in the all units of columns, While outputting to the browsing device a browsing target file that can browse only the data portion that does not include the confidential data,
For sensitive data processing is performed for disabling viewing by the column unit, when the confidential data contained in the viewing crippled data portion is included in a predetermined word units, said word the confidential data The browsing target file in which the confidential data cannot be browsed is output to the browsing device by the processing of each unit .

Further, the present invention can be configured as a control level addition data display control program executed by the control level addition data display control device according to the present invention as described above.
Furthermore, the present invention can also be configured as a control level addition data display control method that can be implemented by the control level addition data display device and program according to the present invention as described above.

According to the present invention, when the file to be browsed contains confidential information, the file to be browsed can be browsed in stages according to the confidentiality level.
As a result, it becomes possible to browse and refer to the file necessary for occurrence of a failure as quickly as possible while surely preventing the confidential leakage of important confidential information.
Therefore, even when managing and operating a large amount of customer information in a large-scale system, such as in the financial industry, retail industry, and distribution industry, while preventing leaks of confidential information, quick and accurate response to failures is possible. It is possible to provide a data system that enables

It is explanatory drawing which shows typically the system structure provided with the control level provision data display control apparatus which concerns on one Embodiment of this invention, (a) is a browsing apparatus connected to the control level provision data display control apparatus of this invention. (B) is an example of a case where the browsing target file is transferred from the control level addition data display control device of the present invention to the browsing device as it is, and (c) is the control level addition data display control device of the present invention. 7 shows an example in which confidential data in a browsing target file is masked when the browsing target file is transferred from the browsing device to the browsing device. In the system configuration including the control level assignment data display control device according to an embodiment of the present invention, it is an explanation schematically showing the operation when the file to be browsed is transferred to the browsing device through a predetermined processing. This is an example of a case where a masking-processed browsing-targeted file that does not require approval is generated and transferred. In the system configuration including the control level assignment data display control device according to an embodiment of the present invention, together with FIG. 2, an explanation schematically showing the operation when the file to be browsed is transferred to the browsing device through a predetermined processing process. This is an example of a case in which a browse-targeted file that has been masked and requires approval is generated and transferred. (a) is a state in which a file acquisition request is notified to the approver, and (b) is a file acquisition from the approver. This shows a state in which approval has been notified and the file to be browsed after approval has been transferred. It is explanatory drawing which shows the image of a browsing target file definition with which the control level provision data display control apparatus which concerns on one Embodiment of this invention is equipped, (a) is a table structure image of a browsing target file definition, (b) is (a). ) Shows an example of a confidential data information file included in the table structure of the browse target file definition of FIG. It is explanatory drawing which shows an example of the data of the browsing object file produced|generated and transmitted by the control level provision data display control apparatus which concerns on one Embodiment of this invention, (a) of the browsing object file before a process process is performed. (B) shows the state in which all the data in the column that may contain confidential data in the file to be browsed is masked for the data shown in (a), and (c) shows the same as confidential data information. It shows that the confidential data is masked at the word level based on the above. 9 is a flowchart showing an example of an operation when a file to be browsed is processed/transferred in a system including a control level assignment data display control device according to an embodiment of the present invention.

Hereinafter, an embodiment of a control level assignment data display control device according to the present invention will be described with reference to the drawings.
Here, the control level assignment data display control device of the present invention described below is realized by processing, means, and functions executed by a computer in accordance with instructions of a program (software). The program can send a command to each component of the computer to cause it to perform a predetermined process or function according to the present invention. That is, each process, means, and function in the present invention are realized by a specific means in which a program and a computer cooperate.
All or part of the program is provided by, for example, a magnetic disk, an optical disk, a semiconductor memory, or any other computer-readable recording medium, and the program read from the recording medium is installed in the computer and executed. It The program can also be directly loaded into a computer and executed through a communication line without using a recording medium. Further, the control level assignment data display control device according to the present invention can be configured by a single information processing device (for example, one personal computer or the like), and a plurality of information processing devices (for example, a group of a plurality of server computers). Etc.).

[System configuration]
1 to 3 schematically show a system configuration including a control level assignment data display control device according to an embodiment of the present invention.
The control level assignment data display control device according to the embodiment of the present invention shown in these figures is configured as a relay server 20, and the relay server 20 includes a business server 10, a browsing server 30, and a person handling a failure 40. An information processing device such as the approver device 50 is connected to form a system including the control level assignment data display control device according to the present invention.
Then, as shown in FIG. 1, the business server 10, the relay server 20, the browsing server 30, and the fault handling terminal 40 are allowed to communicate only with adjacent devices in order to prevent unauthorized access. There is.
Specifically, communication is limited to the following devices.
-Business server 10-relay server 20
-Relay server 20-browsing server 30
-Relay server 20-Approver device 50
・Browsing server 30-terminal 40 for persons with disabilities
Therefore, for example, the failure handling terminal 40 can communicate and access the browsing server 30, but cannot directly access the business server 10 and the relay server 20.

The relay server 20 serving as the control level assignment data display control device of the present invention is configured by an information processing device such as a server computer or a personal computer.
The relay server 20 is first connected to the business server 10 in which a data system (business system) to be managed/managed is mounted/operated.
As shown in FIG. 1, the relay server 20 is an information processing device that is communicably connected to the browsing server 30 and is operable by a person in charge of operating and managing the business server 10 via the browsing server 30. The failure responder terminal 40 is indirectly connected to the relay server 20 so as to be able to communicate. Further, the relay server 20 is communicably connected to an approver device 50, which is an information processing device that can be operated by an administrator who operates and manages the business server 10.

Specifically, the browsing server 30 is communicably connected to the relay server 20, and the file data output from the business server 10 is transferred/outputted to the browsing server 30 via the relay server 20. It is supposed to be done.
In addition, the browsing server 30 is communicatively connected to a failure responder terminal 40 operated by a person in charge of maintenance/management of the business server 10 (developer/operation person).
Files and data output/transferred from the business server 10/relay server 20 via the browsing server 30 are displayed on the fault handling person terminal 40 so that the person in charge can browse/reference.

Further, the relay server 20 is connected to an approver device 50 operated by an approver (development manager/operation manager) who is responsible for the work/work of the person in charge of the fault handling terminal 40. There is.
In the approver device 50, the processed (masked) file information generated by the relay server 20, which will be described later, is checked for leakage or outflow of confidential information, and then approved.

Business server
The business server 10 is an information processing device in which a data system (business system) that is a management target of the relay server 20 that is the control level assignment data display control device according to the present invention is mounted and operated. Configure the device.
Specifically, the business server 10 is owned by, for example, a computer system owned by a company that operates its own data system, or an information system company (system integrator) that undertakes the operation of data systems of multiple companies as a business. It consists of a large-scale server system group.

The actual business server 10 may be composed of, for example, several computers to an information processing apparatus composed of several hundreds to several thousands or tens of thousands of server systems. Also in this case, a data system such as an application system or a base system required for business/operation of a company or the like is implemented/operated as a business system.
The data system (business system) operated by the business server 10 including a plurality of such information processing devices stores a log file of a system that may contain confidential information that should not be leaked or leaked. Has been done.
For example, the log file generated and output by the business server 10 contains important confidential information such as personal information and security information as described above. Therefore, such confidential information must not be leaked or leaked from the business server 10 to the outside and must be strictly managed and protected.

On the other hand, when a failure occurs in the data system in operation in the business server 10, it is necessary to find out the cause of the failure and take measures such as failure removal and system restoration as quickly and as quickly as possible. .. Then, in order to remove/recover a failure, it is necessary to output/reference a log file such as an application log or a base log operated in the data system.
Therefore, in the present embodiment, when a failure occurs in the operating data system, the necessary log file (browsing target file) is output from the business file 10 as it is, and the confidential information is stored in the browsing target file. If the data indicating the confidential information is included, the relay server 20 performs a predetermined processing process so that confidential information is not leaked or leaked, and the processed file is processed by the browsing server 30. And so on.
This makes it possible to quickly output the log file required from the business data 10 when a failure occurs, and at the same time prevent the confidential information from leaking out.

Relay server
The relay server 20 acquires a log file that is a predetermined browsing target file from the business server 10 that is the above-described file acquisition target device, performs a predetermined processing to perform the predetermined processing, and a browsing server 30 that is a browsing device or a person with a disability responder. It is an information processing device which is output and referred to by the control device 40, and constitutes the control level assignment data display control device according to the present invention.

The relay server 20 is a browsing server 30 accessible via a predetermined network to an adjacent device, specifically, a business server 10 in which a data system is operated, and a person in charge of maintaining and managing the data system. Is communicatively connected to. The relay server 20 is communicatively connected to an approver device 50 accessible by an administrator or the like who manages the person in charge. Here, the person 40 in charge of failure who is actually operated by the person in charge of maintenance and management of the data system is not directly connected to the relay server 20. Therefore, the data is not directly transferred from the relay server 20 to the person in charge of failure 40, and the security is ensured.
Then, when a failure occurs in the business server 10 to be managed, the relay server 20 temporarily copies and receives/inputs log files such as application logs and infrastructure logs output from the business server 10, and It is determined whether or not the log file contains predetermined confidential data. If the log file contains confidential data, a predetermined processing is performed and then the processed log file is stored in the browsing server 30. It is supposed to be transferred.

Specifically, the relay server 20 according to the present embodiment is configured and controlled so as to function as the storage unit 21 and the browsing target file control unit 22, as shown in FIG.
The storage unit 21 is a unit that stores information indicating a browsing target file that can be acquired from the business server 10 and browsing target file definition information that describes predetermined control level information regarding the browsing target file, and the storage according to the present invention. Constitutes a means.
Details of the browse target file definition information stored in the storage unit 21 will be described later with reference to FIGS.

The browsing target file control unit 22 performs a predetermined processing process on the browsing target file acquired from the business server 10 based on the above-described browsing target file definition information stored in the storage unit 21 according to a control level described later. Is performed, and the processed browsing target file is output to the browsing server 30 (and the person in charge of failure 40), and constitutes the display control means according to the present invention.
More specifically, the browsing target file control means 22 performs a modification process as shown in FIG. 1B when the log file of the business server 10 which is the browsing target file does not include confidential data. Without causing the log file to be output to the browsing server 30.

On the other hand, when the log file of the business server 10 includes confidential data, the browsing target file control unit 22 extracts a data portion that does not include confidential data, as shown in FIGS. 1B and 2. Processing is performed to make all other data portions unreadable, and only the data portions that do not contain confidential data are made viewable, and the log file (see FIG. 5B) is output to the viewing server 30 (column mask).
In this case, the masking process is performed on a column-by-column basis that includes confidential data, and thus the predetermined approval process via the approver device 50 is unnecessary.

Further, when the confidential data included in the data portion that is made inaccessible as described above is included in a specific format, the browsing object file control unit 22 is configured as shown in FIG. 1(c) and FIG. 3(a), As shown in (b), the confidential data is made inaccessible by a specific processing, and a log file (see FIG. 5C) in which the confidential data is inaccessible is output to the browsing server 30 (word level mask). ..
Specifically, as shown in FIG. 3A, the browsing target file control unit 22 determines a predetermined target based on the dictionary file (see FIG. 4) included in the confidential data information stored in the storage unit 21. The confidential data consisting of a character string is processed to be unreadable by a predetermined target processing method.
In this case, the browsing target file control unit 22 determines that the log file in which the confidential data cannot be browsed at the word level of the target character string is the approver device as shown in FIGS. 1C and 3B. After the predetermined approval processing executed via 50 is performed, it is output to the browsing server 30.

As described above, the log file transferred from the business server 10 to the relay server 20 under the control of the browsing target file control unit 22 has a confidential level according to the presence or absence of confidential data, the type and format of the confidential data, and the like. After the processing is executed, it is output stepwise.
As a result, log files can be viewed in stages from files that have undergone predetermined processing of confidential data, depending on the confidentiality level, preventing confidential data from being leaked and as quickly and quickly as possible. The person in charge can refer to the log file.
Details of the step-by-step processing and transfer processing of the log file executed by the browse target file control means 22 of the relay server 20 will be described later with reference to FIG.

[Browsing server/terminal for persons with disabilities]
The browsing server 30 receives the processed log file (browsing target file) from the relay server 20 and retains the processed log file on the device, and displays the processed log file on another terminal device or the like so that the log file can be browsed and referenced by a technique such as WEB. This is an information processing device, and is configured by, for example, a personal computer, a server device, or the like.
In the present embodiment, the browsing server 30 is configured to sequentially receive, overwrite, and save a plurality of browsing target files transferred from the relay server 20 according to the content/level of confidential data, as described later. The latest and final processed log files are stored and output so that they can be viewed.

The terminal 40 for persons with a disability comprises an information processing device that can access the browsing server 30, and can be configured by, for example, a personal computer, a mobile phone, a smartphone, a tablet, or the like.
When a failure occurs in the system running on the business server 10, the person who operates the failure responder terminal 40 collects information from the business server 10 via the browsing server 30 and the relay server 20, and determines the response. , The person in charge of development and the person in charge of operation.

By providing the browsing server 30 and the fault handling person terminal 40, the processed log file generated and transferred by the relay server 20 described above is arranged and stored in the browsing server 30 when a failure occurs in the business server 10. Then, the person in charge of failure 40 can display and output it, and the person in charge of solving and recovering the system failure or the like that has occurred in the business server 10 can browse and refer to the log file for investigating the cause of the failure. Become.
In addition, by configuring the browsing server 30 and the disability responder terminal 40 that are accessible thereto by separate and independent information processing devices, for example, the disability responder terminal 40 can be used by a person in charge such as a smartphone or a notebook PC. The log file output from the business server 10 can be browsed and referred to when and wherever the person in charge is, because it can be configured by a portable small terminal device or the like.

It should be noted that the browsing server 30 and the fault handling person terminal 40 are configured by a single device (for example, one PC) as long as the processed log file transferred from the relay server 20 can be output and displayed in a viewable manner. It is also possible to configure with three or more devices (for example, one browsing server 30 and a plurality of fault responder terminals 40).
Details of the log file receiving/displaying process in the browsing server 30 and the fault handling terminal 40 will also be described later with reference to FIG.

[Approver device]
The approver device 50 is an information processing device that can access the relay server 20, and is configured by, for example, a personal computer or the like. An approver who operates the approver device 50 is a development manager or an operation manager who carries out maintenance of the business server 10, and is a person who operates the above-mentioned fault handling person terminal 40 from the business server 10. The person responsible for obtaining information.

Specifically, in the approver device 50, when the log file including the confidential data is transferred from the business server 10 to the relay server 20, as shown in FIGS. 1(c) and 3(b), the relay server 20 After the confidential data included in the log file is subjected to a predetermined processing, the relay server 20 is accessed by the approver device 50, and the processed log file is confirmed by the approver. When the approver confirms that the processing (masking) is performed so that confidential data does not leak, the approver device 50 executes and notifies the relay server 20 of the approval processing.
Further, when the approval process is executed by the approver device 50, the completion of the approval process is notified to the corresponding failure responder terminal 40 by e-mail or the like (FIG. 1(c) and FIG. 3). (See (b)).

As a result, the log file processed by the relay server 20 is approved by the approver that the confidential data has been processed so that the confidential data is not leaked or leaked, and then the approved processed log file is viewed. The data is transferred to the server 30 and the terminal 40 for the person in charge of failure.
Note that the above-mentioned approver can be set according to the confidential level of the data, multiple approvers can be set, and if the confidential level is low, the approver can be omitted. It is possible. Therefore, a plurality of approver devices 50 may be provided depending on the number of approvers, and the approver device 50 may not be provided.

By providing such an approver device 50, the log file processed by the relay server 20 can be dealt with a failure in a state where the approver guarantees that the log file will be generated and processed without leakage of confidential data. It will be disclosed to the person in charge, and the leak and leakage of confidential data will be prevented more thoroughly.
Further, by determining whether or not the confidential data can be disclosed through the approval process via the approver device 50, it is possible to flexibly deal with the confidential level of the target data.
Details of the processing for approving the processed log file by the approver device 50 will also be described later with reference to FIG.

[Control level setting]
Next, the control level set/stored in the storage unit 21 of the relay server 20 according to the characteristics of the data will be described with reference to FIGS.
Here, the control level refers to different controls (regulations) with respect to the data generated and output by the business server 10, depending on the presence or absence of confidential information included in the data and whether or not predetermined processing (masking) is possible. There are a plurality of classifications/steps to be performed, and in the present embodiment, three control levels of “confidentiality level 0, 1, 2” are given.
Specifically, in the present embodiment, the data (log file) transferred/acquired from the business server 10 in the relay server 20 is classified as follows according to the content of the confidential information included in the file in units of files. However, different control levels (confidential levels 0, 1 and 2) are given accordingly.

Here, regarding the assignment and setting of the control level as shown below, the person who may browse the log file in advance determines the log file to be browsed in advance and sets the control level information to be set. (Confidentiality level/confidential data information) can be added and determined, and tagging can be performed manually, for example. Then, regarding the validity of the content of the set control level information, the approval of the approver is obtained.
Then, the storage means 21 of the relay server 20 stores the browsing target file definition (browsing target file information and confidentiality level/confidential data information), which will be described later, as the predetermined control level information to be set ( (See FIG. 4).

(1) No confidential information: Confidentiality level 0
This is a case where confidential data is not included in the log file, and it has been approved in advance by the approver that it can be referenced from anywhere at any time.
When such a file is transferred from the business server 10 to the relay server 20, the file data as it is can be transferred to the browsing server 30 without performing the processing in the relay server 20. Regarding the transferred information contents, a trail is stored in the access log.

(2) Confidential information available: Confidentiality level 1
If the log file contains sensitive data, and if the confidential data is included in a specific location (column) in the data of the file, before the confidential data to be masked at the word level described later, This is a case where all the data in the column are collectively masked. Such batch mask processing in column units can be performed more quickly than mask processing at the word level, and since all data is masked in column units, there is a risk of secret leakage. Since it is low, the approval process by the approver can be omitted. Therefore, it becomes possible to output the masked file data more quickly.
When such a file is transferred from the business server 10 to the relay server 20, the corresponding column is processed in the relay server 20, and the processed file data can be transferred to the browsing server 30. Regarding the transferred information contents, a trail is stored in the access log.

(3) Confidential information available: Confidentiality level 2
When the log file contains confidential data, the confidential data is included somewhere in the data of the file and the output location is unspecified, but mask processing at the word level based on dictionary data is possible. Is. Since such mask processing at the word level requires a long processing time and requires an approval process by an approver in order to prevent the leakage of secrets, it is necessary to perform the above-mentioned confidential level 1 column unit. As compared with the batch mask processing of (1), it takes time to output the masked file data. However, the data masked at the word level has a large amount of information that can be browsed and referenced, and can be utilized as more useful data when dealing with a failure.
When such a file is transferred from the business server 10 to the relay server 20, the data included in the file is processed in the relay server 20 at the word level, and after being approved by the approver, the processed file is processed. -Data can be transferred to the browsing server 30.

Here, an outline of the masking process in the case of "confidential level 1" and "confidential level 2" will be described below.
With respect to the data of “confidentiality level 1”, the mask processing is performed in column units and the mask processing is performed in word units, and the dictionary data is used during masking in the second stage processing.
First, when a raw file that has not been masked is transferred from the business server 10, column-wise masking is performed as the first step.
Specifically, it is determined whether batch masking is necessary for each raw file in column units, and batch masking processing is executed. It should be noted that both the “determination” and the “masking process” of the necessity of collective masking are automatically executed based on the setting.
The data masked on a column-by-column basis is transmitted to the browsing server 30 without approval by the approver. The transmission is automatically transmitted upon completion of automatic processing in the relay server 20.

Next, as a second-stage process, the raw file transferred from the business server 10 determines whether word masking is required in column units, and the masking process is performed in word units based on predetermined dictionary data. .. Both the “determination” and the “processing” of the word mask necessity here are automatically executed.
The data masked in word units is transmitted to the browsing server 30 after undergoing an approval process by the approver. The submission will be sent automatically after the approval process is complete.

Note that the above-described two-step processing performed on a file of "confidentiality level 1" does not perform word masking on the data masked in the first-step column unit, but in the entire column Is performed by replacing the masked data with the data in which only specific words in a specific column are masked.
By doing so, the data masked on a word-by-word basis has less certainty that confidential information is not included than the data masked on a column-by-column basis. The amount will increase, and the possibility of utilizing it for dealing with failures will increase. Therefore, the merit of performing the two-step processing becomes great.

With respect to the data of "confidentiality level 2", only the masking process for each word is performed, almost in the same manner as the second-stage masking process performed for the data of "confidentiality level 1".
That is, when a raw file that has not been masked is transferred from the business server 10, the masking is automatically executed in word units on the entire file based on predetermined dictionary data.
Further, the data obtained by masking the entire file in units of words is transmitted to the browsing server 30 after undergoing an approval process by the approver. The submission will be sent automatically after the approval process is complete.
As a result, as in the case of the “confidentiality level 1” data described above, the data masked in word units has a large amount of information that can be browsed/referenced, and can be effectively used as reference data when dealing with a failure. Become.

[Browse file definition table]
Regarding the different control levels as described above, in the relay server 20 according to the present embodiment, the above-mentioned storage means 21 shows a log file that is a browse target file that can be acquired from the business server 10 as shown in FIG. Information and browsing target file definition information describing predetermined control level information (confidentiality level and confidential data information) regarding the log file (browsing target file) are set and stored.
FIG. 4 is an explanatory diagram showing an image of the browsing target file definition according to the present embodiment.

Specifically, as shown in FIG. 4A, the storage unit 21 of the relay server 20 stores the file configuration data of the log file output from the business server 10 and the browsing target as information indicating the browsing target file. A “browsing target file definition table” indicating control level information regarding files is stored.
The control level information shown in this "browsing target file definition table" includes "confidentiality level" indicating whether or not the browsing target file includes confidential data indicating confidential information, and identification information of the column including the confidential data. "Confidential data information" including information indicating whether or not the confidential data can be subjected to the specific processing is stored.

In the example shown in FIG. 4(a), the "browsing target file definition table" stores information about each browsing target file regarding each item of acquisition target server, storage path, file name, confidentiality level, and confidential data information. There is.
Here, as the confidential level, as described above, for example, “level 0: confidential information is not completely included”, “level 1: confidential information is included (in a specific portion (column)) (column unit mask) "Possible)", "level 2: confidential information is included (somewhere) (word unit maskable)", and the level setting is made according to the content/structure of the confidential data.

[Confidential data information file]
As for the “confidential data information” included in the above-mentioned “browsing target file definition table”, as shown in FIG. 4B, the corresponding “confidential data information file” is provided. The confidential data information file includes a dictionary file that describes a target character string that can be subjected to specific processing, a target processing method, and the like.
In the example shown in FIG. 4B, the “confidential data information file” includes delimiter information (eg, TAB delimiter) of the file, description of each column (eg, user ID, user name, user information, etc.). Existence of confidential information (Example: Not included/Included (Can be masked in column units)/Included (Can be masked in word units)) Information is stored for each item in the dictionary definition file.
Here, as the dictionary definition file, for example, a dictionary file name in which a target character string to be masked, a masking method, etc. are described, and which dictionary file is used for which character string is specified and extracted. It is supposed to be done.

By providing the above-mentioned browse target file definition information (browsing target file definition table/confidential data information file), the log file transferred/copied from the business server 10 has a control level (confidentiality level) based on the definition information. In accordance with the above, the stepwise processing (mask) processing is executed, and a plurality of processed files are generated stepwise for the same log file according to the presence/absence/content of the processing processing, and the browsing server 30 It will be output and transferred.
This point will be described with reference to the data example shown in FIG.
FIG. 5 is an example of data generated and processed on the relay server 20 based on the file definition information to be browsed and output to the browsing server 30, where (a) is data before being processed, and (b) is (C) shows the case where all the data in the column that may contain the confidential data in the file to be browsed is masked, and (c) shows the confidential data at the word level based on the dictionary definition file. ..

In the data shown in FIG. 5, the data enclosed by the dotted line in FIG. 5A is the case where the masking is performed at the word level.
First, when the target log file does not include any confidential data as shown in FIG. 5A, the relay server 20 browses the file without performing any processing on the file. It can be transferred to the server 30.
In that case, since no confidential data is included, the approval by the approver can be automatically approved or unnecessary for the file transfer to the browsing server 30.

Next, when the confidential data that can be masked at the word level as shown in FIG. 5A is included, the control level information of “confidential level 1 (column maskable)” is given to the file. When the collective masking process for each column in the first stage is performed, processed data as shown in FIG. 5B is generated.
In this case, for a column in the file that may contain confidential data, batch mask processing is performed on a column-by-column basis so that all the data in the column cannot be viewed. In the example of FIG. 5B, all the data in the column indicated as <processing content> of the corresponding column is masked, and the processed file is transferred to the browsing server 30 in this state.
In this case, all the data in the columns that may contain confidential data are processed based on the preset file definition information for the browsing target file and cannot be browsed. Upon file transfer to 30, approval by the approver can be automatic approval or no approval is required.

Next, when confidential data that can be masked at the word level as shown in FIG. 5A is included, control level information of "confidential level 2 (word unit maskable)" is given to the file. If it has been, or if the word mask processing of the second stage is performed on the “confidential level 1” file, the processed data as shown in FIG. 5C is generated.
In this case, the relevant confidential data is extracted based on the browse target file definition information, and mask processing is performed in word units so that the confidential data cannot be browsed. In the example shown in FIG. 5C, only the confidential data portion of <processing content> is masked, and other data portions can be browsed/referenced. As a result, as indicated by the dotted line in FIG. 5C, an “error code” indicating the cause of the error, which is unviewable in the mask processing in column units (see FIG. 5B), is output in a viewable state. Will be done.
In this case, for files with only confidential data processed, whether or not all necessary confidential data is completely inaccessible is checked and approved by a prescribed approver and approved. The processed file of is transferred to the browsing server 30.

As described above, in the present embodiment, a plurality of processed files of the same file are processed according to the content/level of the confidential data included in the log file based on the browsing target file definition information stored in the relay server 20. Will be output step by step.
In this way, by changing the processing method according to the confidentiality level, even if the time required for the masking process or the approval process by the approver takes time, the viewable part can be preferentially browsed and referenced early. It becomes possible to deal with problems more quickly.

For example, for a file that does not include confidential data, when a person in charge inputs/transmits an acquisition request for the target file from the fault handling person terminal 40, he/she can immediately browse/reference through the relay server 20/browsing server 30. Becomes
Even after that, even with regard to the file for which the confidential data is masked, a plurality of processed files are sequentially output/replaced according to the confidentiality level and the approval or non-approval by the approver, and the files can be gradually viewed.
In some cases, troubleshooting of the data system can be solved by referring to only the log files that do not contain the confidential level, and even if the confidential data cannot be viewed, it can be handled if there is another viewable part. It is often the case.
Therefore, in the system according to the present embodiment, which can promptly and promptly start trouble response from the viewable data portion, it is possible to start the response work early and efficiently proceed the work sequentially thereafter. become able to.

[motion]
Next, a specific operation (control level addition data display control method) of the system including the control level addition data display control device according to the present embodiment configured as described above will be described with reference to FIG.
FIG. 6 is a flowchart showing an example of operations such as processing, transfer, approval, and browsing of the file to be browsed in this embodiment.

First of all, prior to processing such as transfer/browsing of the file to be browsed, the person in charge who may browse the log file to be browsed should previously browse the file definition information (file 4) is set.
As described above, the contents of the file definition information to be browsed are "delimiter character" if the "file itself" contains or does not contain confidential data, or if it is a "standard format file containing confidential data". Set the information such as "included (non-maskable)/included (maskable)/not included" for each column "formatted in."
As described above, the set contents are stored as the browsing target file definition (browsing target file information and confidential data information) of the relay server 20 after being confirmed by the approver.

Next, as shown in FIG. 6, the person in charge who needs to browse the log file accesses the browsing server 30 from the fault handling person terminal 40 by using, for example, the WEB system or the like, and selects the file to be browsed. It designates and transmits an application process for browsing, specifically, an acquisition request for a "column-masked file" to the browsing server 30 (step 1).
The browsing server 30 transmits a target file acquisition request to the relay server 20 based on the request received from the fault handling person terminal 40 (step 2).

The relay server 20 acquires the acquisition target file from the business server 10 on the basis of the request received from the browsing server 30 (step 3), and the confidentiality of the acquired target file is based on the browsing target file definition information. Processing including the presence or absence of data is performed (step 4).
Here, with respect to the target file acquired by the relay server 20, if the file itself does not include any confidential data, no modification processing is required, and approval processing is automatically performed (or approval is unnecessary). The target file is transferred to the terminal 40 for dealing with a failure via the browsing server 30. Therefore, the person in charge of trouble handling can immediately refer to and browse the target file almost at the same time as the browsing request (request) of the target file.

If the file itself to be browsed contains confidential data, the "confidentiality level" of the file is first determined based on the file definition information to be browsed. Then, when the file is “confidential level 1”, the “column masking process”, which is the first stage of the two-stage masking process, which performs the collective masking process in units of columns, is executed.
In the "column mask processing", the column "containing" the confidential data in the target file is extracted (see FIG. 4B), and the "column masked file" in which all the data in the corresponding column is masked is generated. Then, it is transferred to the browsing server 30 (step 4).
The browsing server 30 receives and stores the “column-masked file”, and at the same time, transfers the file to the fault handling person terminal 40 (step 5).
As a result, the acquisition of the "column masked file" is completed at the fault responder terminal 40 (step 6), and the person in charge of the fault masks only the specific column in the fault responder terminal 40 operated by himself/herself. The obtained data (see FIG. 5B) can be referred to at an early stage.

In the person with a disability support terminal 40 who has acquired and browsed the “column-masked file”, the browsing-targeted file continues to be treated as data with a smaller number of masked portions and a larger browsable portion by the second-stage mask processing in word units. A request for acquisition of the "dictionary masked file" is transmitted to the browsing server 30 (step 7).
Further, even if the file to be browsed relating to the request transmitted first from the fault handling person terminal 40 is a file to which “confidentiality level 2” is added, the request is regarded as a “dictionary masked file” and the browsing server 30. (Step 7).
The browsing server 30 transmits a target file acquisition request to the relay server 20 based on the request received from the fault handling person terminal 40 (step 8).

The relay server 20 acquires the acquisition target file from the business server 10 on the basis of the request received from the browsing server 30 (step 9), and confidentializes the acquired target file based on the browsing target file definition information. Processing according to the level of data, here, "dictionary mask processing" is performed to perform mask processing on a word-by-word basis for the entire file or confidential data included in a specific column (step 10).
In the "dictionary mask processing", the character string of the confidential data "included in a specific format" in the target file is extracted word by word from the entire file or a specific column, and the character string is specified in the browse target file definition. The mask processing is performed by a predetermined method using a dictionary or the like. For example, a "dictionary masked file" in which only a specific character string is masked so that it cannot be browsed is generated.

Next, the generated “dictionary masked file” is output/displayed so that it can be viewed on the approver device 50, and whether or not necessary confidential data has been correctly removed from the masked “dictionary masked data”. After confirmation by the administrator (step 11), a predetermined approval process (file acquisition approval) is executed (step 12).
When the file acquisition approval is executed by the approver device 50, the approval is transmitted/reflected to the relay server 20, and the approved “dictionary masked file” is surely masked with confidential data that should be inaccessible. The data is transferred to the browsing server 30 (step 13).
The "dictionary masked file" received by the browsing server 30 is arranged and stored in the browsing server 30 (step 14). At this time, if the “column-masked file” is stored first, it is replaced with the “column-masked file”, and the “dictionary masked file” is arranged and stored in the browsing server 30.
Further, when the approval process is executed by the approver device 50, it is possible to notify the corresponding failure responder terminal 40 of the completion of the approval process by e-mail or the like (FIG. 1(c) and See FIG. 3B).

In this state, the browsing server 30 sends a reception notice of the “dictionary masked file” to the failure responder terminal 40 (step 15), and the failure responder terminal 40 sends a “dictionary masked file” to the browsing server 30. Is acquired (step 16).
The browsing server 30 transfers the “dictionary masked file” to the fault responder terminal 40 based on the request received from the fault responder terminal 40 (step 17 ).
As a result, the acquisition of the "dictionary masked file" is completed at the fault responder terminal 40 (step 18), and the person in charge of the fault can view the confidential data as word-by-word unreadable. Data (see FIG. 5(c)) having many portions can be browsed and referenced, and more detailed and appropriate fault handling work can be performed.
As described above, in the system according to the present embodiment, it becomes possible to quickly and sequentially refer to the log files necessary for dealing with a failure from the viewable portion, and the speed of dealing with a failure is significantly improved. Will be able to.

As described above, according to the control level assignment data display control device according to the present embodiment, when a failure occurs in the data system, the system application log and the base log are copied from the production environment and referred to. In addition, it is possible to extract and determine whether or not the target data including the confidential data that is prohibited to be taken out from the production environment from the viewpoint of internal control includes the confidential data in file units, column units, or word units.
Then, according to the confidentiality level, it becomes possible to process the confidential data into a non-browsable state so that the confidential data can be sequentially disclosed and browsed.
As a result, it becomes possible to speedily display the browsing target data which may include the confidential data without causing a control problem.

In addition, even for confidential information, the procedure required for disclosure can be switched according to the confidentiality level, so even confidential information can be made public after approval according to the level, especially in an emergency. It becomes possible to control the displayability of required data by a workflow.
Then, the referenceable data is disclosed in order from the one with a low confidentiality level, so that it is possible to progressively deal with a system failure.

Further, in the present invention, any unit in the system can be the target of the mask processing, and the confidential information is not limited to the data in the table structure unit of the database as in the above-mentioned Patent Document 1, and the confidential information can be set in the unit of column or It is possible to set and control a fine range such as table units or word units, and if the integrity of the mask cannot be guaranteed, it will be disclosed by inserting checks and approvals by the administrator/approver. Can also be possible.
As a result, the target is not limited to only a database having a specific data structure, for example, a table structure, and it is possible to target a non-standard application log file or the like.

As described above, according to the present invention, when confidential files are included in the file to be browsed, the files to be browsed are output step by step in order of priority from the file for which the processing of the confidential data has been completed. It can be made available for viewing.
This will ensure that confidential files will not be leaked, and that necessary files will be browsed and referenced in the event of a failure as soon as possible, enabling quick and accurate restoration of the system. Become.
Further, according to the present invention, it is possible to provide an excellent fault handling system that is rich in flexibility, versatility, and expandability with respect to a target data system/data structure.

As a result, urgent and swiftness of disaster recovery is required, especially in data systems used in businesses such as finance and retail/distribution, where huge files containing a large amount of confidential data such as personal information are handled. On the other hand, even in the case of a data system or business system in which confidential data should never be leaked or leaked, conflicting requests for prompt output/reference of log files and protection of confidential information should a failure occur. It is possible to achieve both.
Therefore, according to the present invention, for example, the operation of a data system of a large enterprise that includes devices to be managed on the order of hundreds to thousands or tens of thousands, or a data system that handles a large amount of different data of multiple enterprises, etc. As a system that is operated and managed by a huge group of server systems owned by an information system company undertaken as a system, it is possible to achieve quick, accurate and appropriate response in the event of a failure and complete prevention of leakage of confidential data. It is possible to realize stable system operation.

Although the present invention has been described with reference to the preferred embodiments, it is needless to say that the present invention is not limited to the above-described embodiments and various modifications can be made within the scope of the present invention.

For example, in the above-described embodiment, two pieces of information, "confidential level" and "confidential data information", are generated and stored as "control level information" according to the present invention. It can also be provided as "control level information". For example, the attribute information of confidential information indicating whether the confidential information included in the target file is related to "personal information", "security information", or other information is changed to "control level information". Can be generated and stored as ".
Further, the "confidential information" targeted by the present invention is not limited to two, "personal information" and "security information", and even other information may be leaked or leaked to the outside. As long as it is information that should be prevented, it can be protected as "confidential information" of the present invention.
Further, in the above embodiment, three levels (confidential levels 0, 1, 2) are set for the "confidential level" set as "control level information", but the "confidential level" according to the present invention is set. Is not limited to three stages, and it is of course possible to have two stages or four or more stages.

Further, in the above-described embodiment, the data system to which the control level assignment data display control device according to the present invention is applied is described assuming a large-scale data system mounted/operated in a plurality of managed devices. The size of the data system and the device to be managed to which the present invention is applicable and the contents of the system are not particularly limited.
When a system failure occurs, it is necessary to promptly respond by outputting and referring to the log file, and the log file contains a lot of confidential data that should not be leaked or leaked outside. If so, the present invention can be applied and implemented regardless of the scale and content of the system.

10 business server 20 relay server (control level assignment data display control device)
21 Storage Means 22 Browsing Target File Control Means 30 Browsing Servers 40 Failure Response Terminals 50 Approver Devices

Claims (6)

An information processing apparatus that acquires a predetermined file to be browsed from a file acquisition target apparatus, performs predetermined processing, and outputs the file to the browsing apparatus,
Information indicating a browsing target file that can be acquired from the file acquisition target device, and a storage unit that stores browsing target file definition information that describes predetermined control level information regarding the browsing target file,
Based on the browsing target file definition information, the browsing target file acquired from the file acquisition target device is subjected to a predetermined processing process according to the control level, and the processed browsing target file is output to the browsing device. Browsing target file control means,
Equipped with
The browsing target file control means is
If the file to be browsed does not contain confidential data,
Output the file to be browsed to the browsing device without performing the processing,
If the file to be browsed contains confidential data in a specified column unit ,
Browsing that extracts the data part that does not contain confidential data in column units and performs processing that makes all other data parts inaccessible in column units and browses only the data part that does not contain the confidential data While outputting the target file to the browsing device,
Regarding the confidential data that has been processed to make it inaccessible in the column unit , if the confidential data included in the inaccessible data portion is included in a predetermined word unit ,
A control level assignment data display control device, which renders the confidential data unreadable by the word- by- word processing and outputs a browsing target file in which the confidential data cannot be browsed to the browsing device. The browsing target file control means is
If the file to be browsed contains confidential data in units of predetermined words,
2. The control level assignment data display control device according to claim 1 , wherein the confidential data is rendered unreadable by the word-by-word processing, and a browsing target file in which the confidential data is rendered unreadable is output to the browsing device. .. The browsing target file control means is
Wherein the browsing object files impossible browse confidential data, after a predetermined authorization processing has been performed, control level application data display control apparatus according to claim 1 or 2, wherein the output to the viewing device. The control level information is
Confidentiality level information indicating whether or not the browsing target file includes confidential data,
Possess the identity of the column that contains the sensitive data, the sensitive data information including information that the confidential data indicates whether it is possible to processing of the word unit, and
The confidential level information is
If the confidential file is not included in the file to be browsed, the confidential data is included in a predetermined column unit, or the confidential data is included in a predetermined word unit, it is set at a level of
4. The control level assignment data display control device according to claim 3 , wherein the predetermined approval process is performed according to the level of the confidentiality level information . The confidential data information is
It has a dictionary file describing the target character string and the target processing method capable of processing the word unit ,
The browsing target file control means is
The control level assignment data display control device according to claim 4 , wherein the confidential data composed of the target character string is processed to be unreadable by the target processing method based on the dictionary file. A computer that constitutes an information processing device that acquires a predetermined file to be browsed from a file acquisition target device, performs predetermined processing, and outputs the file to the browsing device,
A storage unit that stores information indicating a browsing target file that can be acquired from the file acquisition target device and browsing target file definition information that describes predetermined control level information regarding the browsing target file,
Based on the browsing target file definition information, the browsing target file acquired from the file acquisition target device is subjected to a predetermined processing process according to the control level, and the processed browsing target file is output to the browsing device. Browsing target file control means,
As well as
In the browsing target file control means,
If the file to be browsed does not contain confidential data,
Output the browsing target file to the browsing device without performing the processing,
If the file to be browsed contains confidential data in a specified column unit ,
The data portion not contain sensitive data is extracted in columns, processing to perform the to disable viewed with all the other data portion of the column unit, and viewable only data portion not included the sensitive data While outputting the file to be browsed to the browsing device,
Regarding the confidential data that has been processed to make it inaccessible in the column unit , if the confidential data included in the inaccessible data portion is included in a predetermined word unit ,
A control level assignment data display control program, which makes the confidential data unreadable by the word- by- word processing and outputs a browsing target file in which the confidential data cannot be browsed to the browsing device.

Images